How to use Indy 10 to POST to a web app with IIS Windows Authentication?

Hello

I´m having a hard time to POST a form to a web application that is configured in IIS to use Windows Authentication. The component is *TIdHTTP*.

The client application is running under an already authenticated account. When I try to POST using a web browser (Chrome in my tests) it all works, but when I run my application (written with Delphi XE and Indy 10) I allways receive the standard page from IIS, stating I´m not authorized to access that URL.

I already provided my user credentials (user name and domain password) in the *TIdHTTP.OnAuthentication* event, but it seems to have no effect.

Thanks in advance.

Alex
0
Utf
6/5/2013 11:10:27 AM
embarcadero.delphi.tools 5366 articles. 2 followers. Follow

7 Replies
1461 Views

Similar Articles

[PageSpeed] 14

Am 05.06.2013 13:10, MPS Informática wrote:
 > I already provided my user credentials (user name and domain 
password) in the *TIdHTTP.OnAuthentication* event, but it seems to have 
no effect.

Try inspecting the HTTP response to find out which auth methods (Basic, 
NTLM, Digest, Kerberos) are supported.

For Basic, simply use

       IdHTTP.Request.BasicAuthentication := True;
       IdHTTP.Request.Username := 'user';
       IdHTTP.Request.Password := 'pass';

Hope this helps
-- 
Michael Justin
0
Michael
6/5/2013 1:48:40 PM
MPS wrote:

> I´m having a hard time to POST a form to a web application that is
> configured in IIS to use Windows Authentication. The component is
> *TIdHTTP*.

Add the IdAuthenticationNTLM or IdAuthenticationSSPI unit to your uses clause, 
if you have not already done so.  Those activate Indy's NTLM/SSPI support 
for TIdHTTP.

> The client application is running under an already authenticated
> account.

Irrelevant, since apps do not share HTTP credentials with each other.  TIdHTTP 
uses its own socket connection, so it has to authenticate itself with the 
server.

> I already provided my user credentials (user name and domain password)
> in the *TIdHTTP.OnAuthentication* event, but it seems to have no
> effect.

Set the TIdHTTP.Request.Username and TIdHTTP.Request.Password properties. 
 TIdHTTP will attempt them first, and then if the server keeps asking for 
credentials, the OnSelectAuthorization and OnAuthorization events will be 
fired so you can update the values as needed.

--
Remy Lebeau (TeamB)
0
Remy
6/5/2013 4:08:29 PM
Thank you for your help, I believe we are getting close to make it work. My experients are as follows:

> Add the IdAuthenticationNTLM or IdAuthenticationSSPI unit to your uses clause, 
> if you have not already done so.  Those activate Indy's NTLM/SSPI support 
> for TIdHTTP.

Done!

> Set the TIdHTTP.Request.Username and TIdHTTP.Request.Password properties. 
>  TIdHTTP will attempt them first, and then if the server keeps asking for 
> credentials, the OnSelectAuthorization and OnAuthorization events will be 
> fired so you can update the values as needed.

Done, however, only the *OnSelectAuthorization* was fired. In this event I provided the class *TIdSSPINTLMAuthentication*, because I inspected the reponse 

headers and found this:

{code}
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic
realm="mps.interno"
X-Powered-By: ASP.NET
Date: Wed, 05 Jun 2013 18:35:45 GMT
{code}

So, it seemed to me that the correct class should be that one.

The *OnAuthorization* event was never fired what was a bit surprising to me. I decided to remove the Username and Password in the *Request* property, but it 

seemed to be with no effect.

The *TIdHTTP* component is configured as follows:

{code}
  object IdHTTP: TIdHTTP
    AllowCookies = True
    HandleRedirects = True
    ProxyParams.BasicAuthentication = False
    ProxyParams.ProxyPort = 0
    Request.ContentLength = -1
    Request.ContentRangeEnd = -1
    Request.ContentRangeStart = -1
    Request.ContentRangeInstanceLength = -1
    Request.Accept = 'text/html, */*'
    Request.BasicAuthentication = False
    Request.UserAgent = 'Mozilla/3.0 (compatible; Indy Library)'
    Request.Ranges.Units = 'bytes'
    Request.Ranges = <>
    HTTPOptions = [hoForceEncodeParams]
    OnSelectAuthorization = IdHTTPSelectAuthorization
    OnAuthorization = IdHTTPAuthorization
    CookieManager = IdCookieManager
    Left = 416
    Top = 8
  end
{code}

The HTTP status code returned is 401.2. The content returned by the web server was:

{code}
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
  BODY { font: 8pt/12pt verdana }
  H1 { font: 13pt/15pt verdana }
  H2 { font: 8pt/12pt verdana }
  A:link { color: red }
  A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>You are not authorized to view this page</h1>
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header 

field that the Web server is not configured to accept.
<hr>
<p>Please try the following:</p>
<ul>
<li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li>
<li>Click the <a href="javascript:location.reload()">Refresh</a> button to try again with different credentials.</li>
</ul>
<h2>HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and 

<b>401</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
 and search for topics titled <b>About Security</b>, <b>Authentication</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
{code}


Thanks in advance
0
Utf
6/5/2013 7:03:59 PM
Hello

I activated Basic Authentication in TIdHTTP and reconfigured some properties and it seems the authentication problem is solved. However, I now have the following exception when I call Post:

{code}
---------------------------
Debugger Exception Notification
---------------------------
Project TesteMumpsWeb.exe raised exception class EIdIOHandlerPropInvalid with message 'IOHandler value is not valid'.
---------------------------
Break   Continue   Help   
---------------------------
{code}

Any ideas what it means?

Thanks in advance.

Alex
0
Utf
6/5/2013 7:30:50 PM
MPS wrote:

> I activated Basic Authentication

Setting BasicAuthentication=true simply allows TIdHTTP to attempt "BASIC" 
authentication if no other authentications are enabled. But the server has 
to support "BASIC" in order for that to work.  The OnSelectAuthorization 
event provides a list of the authentications that the server actually supports 
for any given request.

> However, I now have the following exception when I call Post:

You are posting to an HTTPS url, but you did not first assign an SSL IOHandler, 
such as TIdSSLIOHandlerSocketOpenSSL, to the TIdHTTP.IOHandler property.

--
Remy Lebeau (TeamB)
0
Remy
6/5/2013 7:44:02 PM
MPS wrote:

> Done, however, only the *OnSelectAuthorization* was fired.
<snip>
> The *OnAuthorization* event was never fired what was a bit
> surprising to me. 

When the OnSelectAuthorization event is fired, its AuthenticationClass parameter 
is pre-initialized with TIdHTTP's first choice class type, based on the entries 
in the provided AuthInfo parameter and the list of enabled TIdAuthentication 
classes.  You can overwrite the AuthenticationClass parameter with a different 
value, but it must be a class that supports one of the values in the AuthInfo 
parameter.  So in your case, either TIdSSPINTLMAuthentication ("Negotiate"), 
TIdNTLMAuthentication ("NTLM"), or TIdBasicAuthentication ("Basic").

The only way the OnAuthorization event would not be triggered afterwards 
is if the specified AuthenticationClass failed to initialize itself.

> So, it seemed to me that the correct class should be that one.

It is one of several classes you can pick from in this situation.  Each "WWW-Authenticate" 
header indicates a different authentication that the server will accept.

> I decided to remove the Username and Password in the *Request* property

Why?  You should be assigning them if you have user/pass values to use.

> The HTTP status code returned is 401.2.

HTTP status codes are not allowed to use decimal values, per RFC 2616 Section 
6.1.1, and TIdHTTP does not support them anyway.  Decimals are an IIS-specific 
extension for use with .NET (see the ASP.NET HttpResponse.SubStatusCode property), 
but Microsoft's own documentation states (emphasis added): "When you set 
the SubStatusCode property, the status is logged on IIS 7.0 if failed-request 
tracing is configured. Independent of whether tracing is configured, **the 
code is never sent as part of the final response to the request.**".  If 
you are actually seeing a decimal status code arrive in TIdHTTP, then the 
IIS server is broken, and that will cause problems since TIdHTTP would not 
be able to extract the status code from the responses correctly.

--
Remy Lebeau (TeamB)
0
Remy
6/5/2013 8:12:27 PM
It seems my problem now is related to the particular process I´m dealing with, so I believe the question is answered. Thank you very much!

Alex
0
Utf
6/5/2013 8:36:09 PM
Reply:

Similar Artilces:

An operations error occurred when using windows authentication in my web app against AD.
HI, I really need someones help here. I have a web app with Anonumous enabled and a domain user that runson behalf of the application against Active Directory and sql server. Now i have to change that to Windows Authentication. so what iv done is:1. I have eneabled windows authentication, 2. using <identity impersonate="true"/> 3. using <authentication mode="Windows">4. using <deny users="?"/> and <allow users="*"/> If i run the published web app on my dev pc logged in as "vader" evrything is ok.But when i go ...

Delphi 6 BDE/Indy 10 app crashes in Windows 2008?
I've got a user that reports my Delphi 6 BDE/Indy 10 app that crashes immediately after it is launched when being run on Windows 2008. I'm very puzzled as to why it happened as i had ported the application to work on Vista SP1 a few months ago (by creating the manifest) and thought that Vista and Windows 2008 are similar. As i do not have Windows 2008, I'm still trying to find more info from my user (from another country). Has anyone experience problems with Windows 2008? Thanks. :) <joshua lim> wrote in message news:94464@forums.codegear.com... > I've got ...

Is it possible to use Windows authentication for users hitting the web app from the internet?
We are developing a web app that is for company personnel only. Most users will access the app from within the organizations LAN but some users must use the internet to gain access. I have configured the app for windows authentication and everthing works fine when accessing the app when it resides on a test server which is co-located with the SQL server it is accessing. When I publish to the production server I get 403 errors when hitting a page that tries to access SQL server. I can retrieve active directory information just can't access the SQL server. I am using an admin account so pe...

Basic Authentication for a web service in an app that uses custom authentication
I've got a web application that uses a customized version of Forms authentication.  However, as part of that web app, I have a web service that I want clients to be able to consume, and I'd like that web service to use Basic authentication.  To complicate matters, I'd like the service to be usable anonymously (without any authentication), and make the "basic" authentication "optional" (wherein the web service would check for the existence of the authentication information and return modified results acordingly.)Ideally, I'd like it to be just thi...

How to convert app from Indy 9 to Indy 10 using Delphi7
I have a small app I have been using a lot, which is a mailchecker where I have used Indy components to handle the POP3 access to mailservers. It was last built in 2004. Now I need to add the possibility to change the POP port for certain non-standard servers. So I opened the project in Delphi7 and immediately received component exceptions.... After ignoring these and changing my package load info for the project to use the Indy that was delivered with Delphi7 I thought all was well since the app now built without errors, but at runtime it caused an exception inside the Forms unit! ...

How to use a web user control from one web app in another web app?
I have a production web app project (at work) that has custom web user controls in it.I have another web app project for experimenting and I want to use some web controls from the production web app. The big trick is that I need to load the controls dynamically.LoadControl() doesn't seem to work - it complains about loading controls from a different application. I also tried adding a project reference to the production web app and using "UC1 newUC = new UC1();" and then "this.Controls.Add(newUC);", but the controls (like TextBoxes) on the web user control don't seem to exist on the new UC1s....

Converting Delphi 2007 Indy 10.2.3 to Delphi 2009 Indy 10.5.5 [Edit]
Hello, I am currently attempting to port over a Delphi 2007 project that uses Indy 10.2.3 (very successfully) to Delphi 2009 and Indy 10.5.5 (I just got the latest development build this morning). I think I am running into an encoding issue, but am not sure. Specifically, IDHTTP with SSL calls an old CGI and the CGI returns a .zip file and I then save it to the disk. In 2007 and before this worked perfectly. In 2009, it is not. Here is the examples of the 2 different results (though cut way short in the post) I am getting back: 2007: 'PK'#3#4#$14#0#0#0#8#0'rLQ9žrPb€'#0...

Using same assemblies by ASP.NET Web site, Windows App and Windows Service
Hi! Is it possible to change the location of the BIN folder and use another one located outside the web site's root (without registering modules in the gac)? The situation is the following: My overall project includes both ASP.NET web site, Windows Service and Windows Application which use common assemblies I created. I would like all my assemblies to exist only once for the overall project I would like to be able to have multiple copies of the overall project of the same or different version on the same machine. Of course, I would like like my Windows Service and Window...

How to setup Windows authentication mode for a web application deployed using a web setup project ?
 Hi,I would like to know if it is possible to set up the authentication mode to "Windows Authentication" for a web application deployed on IIS using a web setup project from Visual Studio 2005 and also how to do that. I know that after deploying the web application using the MSI file I can manually edit the security settings from the IIS and set the authentication mode to "Integrate Windows authentication", but I would like to do this at deploy time. Since I was not able to do that, I tried an open-source project, Windows Installer XML v3.0 - this project ev...

using integrated windows..invoking a webmethod using the app pool credentials NOT the authenticated users credentials.
I have a dillema and I am unsure how to accomplish what I am needing.  I have successfully configured a web service running under a specific user account to use windows integrated authentication.   The keys to accomplishing this lie in three steps.. 1. creating the app pool account and getting it registered in iis with the iis_wpg group.. http://msdn.microsoft.com/en-us/library/ms998297.aspx   2. Setting the authentication to use NTLM instead of kerboros (otherwise it wont allow integrated windows authentication) http://support.microsoft.com/kb/871179   and Fina...

can we have authentication mode="Forms" in the web.config file and have Integrated Windows Authentication in the IIS?
 Hello,This might be a strange question but can we have authentication mode="Forms" in the web.config file and have Integrated Windows Authentication in the IIS? Do people do that ? Is it common to do that? and in what cases.As normally if we have  authentication mode="Forms" in the web.config file then we keep Anonymous Access in the IIS.Thanks if you can explain this....  Windows authentication and forms authentication are completely different authentication mechanisms. For the forms authentication, the user credentials are accepted from the u...

Determining if an app is a web app or a windows app
Hi all,  I'm writing a generic utilites class and one of the methods needs to get the physical path of the application. I know Server.MapPath("~") gets the server path of the app for windows and also that Application.ExecutablePath gets the path for windows app. Now how would i determine which app is a windows app or a web app?   Thanks in advance. add a reference to system.web and then do the following  if (System.Web.HttpContext.Current == null)            {       &...

migrating from Delphi 6 With Indy 10 to XE7 with Indy 10
I updated the original Indy in D6 to version 10 several years ago. Now I want to migrate my application from D6 to XE7 and would like some feedback on the best route to take. I usually send data using readln and writeln statements. The data is typically XML format. Since migrating to XE7 will include potential unicode data what is the best approach to take when reading and writing data? Will writeln and readln work in these cases or should I be using a different strategy to send unicode data between the tidtcpclient and tidtcpserver applications? al wrote: > I usually send data ...

sql server windows authentication
Dear all I have one webservices called ws1 that have a connection to sql server using integrated windows authentication and it work fine (in IIS, I uncheck anonymous user, and using windows auth (basic auth)) and then I create a aspx web application than have web reference (ws1) but my web page is error if call the web services : System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Login failed for user 'EIFFEL\Guest'. at eiffel is my database server can anybody help me please ??? thanks ...

Web resources about - How to use Indy 10 to POST to a web app with IIS Windows Authentication? - embarcadero.delphi.tools

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - http://diginfo.tv 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Two-factor authentication - cyber security -
Two recent hacking cases highlight how personal emails can impact overall business security through tiny weaknesses.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

Hands on: Twitter two-factor authentication
Optus and Vodafone customers need not apply when it comes to Twitter's two-factor authentication.

Resources last updated: 11/28/2015 5:12:02 AM