earthman100
asked on
Http Authentication parameters in URL not working
Recently my shortcuts that include my http authentication usernames and passwords in the URL ceased working, resulting in an "Invalid Syntax Error" and "The page cannot be displayed" message in Internet Explorer.
The format I am using is http://username:password@mydomain.com
Please note: These DID work before, and do work from other computers, which leads me to believe that it has something to do with my browser here. Any suggestions are gratefully appreciated!
The format I am using is http://username:password@mydomain.com
Please note: These DID work before, and do work from other computers, which leads me to believe that it has something to do with my browser here. Any suggestions are gratefully appreciated!
ASKER
Hi Dinosaur,
I have tried each of the settings:
Anonymous Logon
Automatic Logon only in Intranet Zone
Automatic Logon with current Username and Password
Prompt for Username and Password
with no success for any of them.
Any other ideas? BTW I am using IE 6.0 (2800.1106.xpsp2)
I have tried each of the settings:
Anonymous Logon
Automatic Logon only in Intranet Zone
Automatic Logon with current Username and Password
Prompt for Username and Password
with no success for any of them.
Any other ideas? BTW I am using IE 6.0 (2800.1106.xpsp2)
I've seen similar roadblocks in forums that point back to this update, but haven't had time to explore the details further (yet)
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi astaec,
The article you pointed to: http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 seems to be the one, because I did run windows update recently, and then the problems began. (aren't they supposed to FIX things??? *sigh*)
The article shows a way to disable the new feature, but I added the registry entries and it did not seem to work. Any other suggestions?
The article you pointed to: http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 seems to be the one, because I did run windows update recently, and then the problems began. (aren't they supposed to FIX things??? *sigh*)
The article shows a way to disable the new feature, but I added the registry entries and it did not seem to work. Any other suggestions?
Drat! The workarounds in the link did not work? Hmmm I'll need to think about this a bit more and research a bit more when I return from work (hopefully this evening)... or when time permits. Long week 4 me. Thse are but a few.... of the workarounds and cut/paste from the link above.......
Workarounds for users
URLs that are opened by users who type the URL in the Address bar or click a link
If users typically type HTTP or HTTPS URLs that include user information in the Address bar, or click links that include user information in HTTP or HTTPS URLs, you can work around this new functionality in Internet Explorer in two ways:
Do not include user information in HTTP or HTTPS URLs.
Instruct users not to include their user information when they type HTTP or HTTPS URLs.
If the Web site uses the basic authentication method, Internet Explorer automatically prompts users for a user name and a password. In some cases, users can click the Remember my password box in the dialog box to save their credentials for later visits to that Web site.
Workarounds for application and Web site developers
URLs that are opened by objects that call WinInet or Urlmon functions
For objects that use an HTTP or an HTTPS URL that includes user information when they call a WinInet or Urlmon function such as InternetOpenURL, rewrite the object to use one of the following methods to send user information to the Web site:
Use the InternetSetOption function and include the following option flags:
INTERNET_OPTION_USERNAME
INTERNET_OPTION_PASSWORD
Note For these flags, the InternetSetOption option must have a handle returned by the InternetConnect function. Therefore, if the application uses the InternetOpenUrl function, modify the application to use the InternetConnect, HttpOpenRequest and HttpSendRequest WinInet functions. For additional information about how to use these functions, visit the following Microsoft Web sites:
http://msdn.microsoft.com/library/en-us/wininet/wininet/internetconnect.asp
http://msdn.microsoft.com/library/en-us/wininet/wininet/httpopenrequest.asp
http://msdn.microsoft.com/library/en-us/wininet/wininet/httpsendrequest.asp
Use the IAuthenticate Interface. For additional information about how to use the IAuthenticate Interface, visit the following Microsoft Web site:
http://msdn.microsoft.com/workshop/networking/moniker/reference/ifaces/iauthenticate/iauthenticate.asp
Note With this workaround, you can open Web sites that the URL-spoofing technique redirects. The whole URL appears, including the redirected location. For example, the following URL appears:
http://www.wingtiptoys.com@www.example.com
The user still arrives at the redirected Web site. In this example, the user arrives at http://www.example.com.
URLs that are opened by a script that uses credentials for state management
If you include HTTP or HTTPS URLs that contain user information in your scripting code, to manage state information, change your scripting code to use cookies instead of user information. For additional information about how to use cookies to manage state information, visit the following Internet Engineering Task Force (IETF) Web site:
http://www.ietf.org/rfc/rfc2965.txt
To see an example of how to use Visual Basic to read and write HTTP cookies in an ASP.NET Web program, visit the following Microsoft Web site:
http://msdn.microsoft.com/library/en-us/dv_vstechart/html/vbtchaspnetcookies101.asp
How to disable the new behavior or to use it in other programs
After you install the 832894 security update, you can set registry values to use this new behavior in other programs that host the Web browser control or to disable this new behavior for Windows Explorer and Internet Explorer.
How programs that host the Web browser control can use this new default behavior to handle user information in HTTP or in HTTPS URLs
By default, this new default behavior for handling user information in HTTP or HTTPS URLs applies only to Windows Explorer and Internet Explorer. To use this new behavior in other programs that host the Web browser control, create a DWORD value named SampleApp.exe, where SampleApp.exe is the name of the executable file that runs the program. Set the DWORD value's value data to 1 in one of the following registry keys.
For all users of the program, set the value in the following registry key:
HKEY_LOCAL_MACHINE\Softwar
For the current user of the program only, set the value in the following registry key:
HKEY_CURRENT_USER\Software
Source and here again for more: http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
AND you set the DWORD?
I'm really baffled. Perhaps others will step in here as well, in the interim.
Asta
Workarounds for users
URLs that are opened by users who type the URL in the Address bar or click a link
If users typically type HTTP or HTTPS URLs that include user information in the Address bar, or click links that include user information in HTTP or HTTPS URLs, you can work around this new functionality in Internet Explorer in two ways:
Do not include user information in HTTP or HTTPS URLs.
Instruct users not to include their user information when they type HTTP or HTTPS URLs.
If the Web site uses the basic authentication method, Internet Explorer automatically prompts users for a user name and a password. In some cases, users can click the Remember my password box in the dialog box to save their credentials for later visits to that Web site.
Workarounds for application and Web site developers
URLs that are opened by objects that call WinInet or Urlmon functions
For objects that use an HTTP or an HTTPS URL that includes user information when they call a WinInet or Urlmon function such as InternetOpenURL, rewrite the object to use one of the following methods to send user information to the Web site:
Use the InternetSetOption function and include the following option flags:
INTERNET_OPTION_USERNAME
INTERNET_OPTION_PASSWORD
Note For these flags, the InternetSetOption option must have a handle returned by the InternetConnect function. Therefore, if the application uses the InternetOpenUrl function, modify the application to use the InternetConnect, HttpOpenRequest and HttpSendRequest WinInet functions. For additional information about how to use these functions, visit the following Microsoft Web sites:
http://msdn.microsoft.com/library/en-us/wininet/wininet/internetconnect.asp
http://msdn.microsoft.com/library/en-us/wininet/wininet/httpopenrequest.asp
http://msdn.microsoft.com/library/en-us/wininet/wininet/httpsendrequest.asp
Use the IAuthenticate Interface. For additional information about how to use the IAuthenticate Interface, visit the following Microsoft Web site:
http://msdn.microsoft.com/workshop/networking/moniker/reference/ifaces/iauthenticate/iauthenticate.asp
Note With this workaround, you can open Web sites that the URL-spoofing technique redirects. The whole URL appears, including the redirected location. For example, the following URL appears:
http://www.wingtiptoys.com@www.example.com
The user still arrives at the redirected Web site. In this example, the user arrives at http://www.example.com.
URLs that are opened by a script that uses credentials for state management
If you include HTTP or HTTPS URLs that contain user information in your scripting code, to manage state information, change your scripting code to use cookies instead of user information. For additional information about how to use cookies to manage state information, visit the following Internet Engineering Task Force (IETF) Web site:
http://www.ietf.org/rfc/rfc2965.txt
To see an example of how to use Visual Basic to read and write HTTP cookies in an ASP.NET Web program, visit the following Microsoft Web site:
http://msdn.microsoft.com/library/en-us/dv_vstechart/html/vbtchaspnetcookies101.asp
How to disable the new behavior or to use it in other programs
After you install the 832894 security update, you can set registry values to use this new behavior in other programs that host the Web browser control or to disable this new behavior for Windows Explorer and Internet Explorer.
How programs that host the Web browser control can use this new default behavior to handle user information in HTTP or in HTTPS URLs
By default, this new default behavior for handling user information in HTTP or HTTPS URLs applies only to Windows Explorer and Internet Explorer. To use this new behavior in other programs that host the Web browser control, create a DWORD value named SampleApp.exe, where SampleApp.exe is the name of the executable file that runs the program. Set the DWORD value's value data to 1 in one of the following registry keys.
For all users of the program, set the value in the following registry key:
HKEY_LOCAL_MACHINE\Softwar
For the current user of the program only, set the value in the following registry key:
HKEY_CURRENT_USER\Software
Source and here again for more: http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
AND you set the DWORD?
I'm really baffled. Perhaps others will step in here as well, in the interim.
Asta
ASKER
This is what I added to my registry:
[HKEY_LOCAL_MACHINE\SOFTWA
[HKEY_LOCAL_MACHINE\SOFTWA
"iexplore.exe"=dword:00000
"explorer.exe"=dword:00000
[HKEY_CURRENT_USER\SOFTWAR
[HKEY_CURRENT_USER\SOFTWAR
"iexplore.exe"=dword:00000
"explorer.exe"=dword:00000
[HKEY_LOCAL_MACHINE\SOFTWA
[HKEY_LOCAL_MACHINE\SOFTWA
"iexplore.exe"=dword:00000
"explorer.exe"=dword:00000
[HKEY_CURRENT_USER\SOFTWAR
[HKEY_CURRENT_USER\SOFTWAR
"iexplore.exe"=dword:00000
"explorer.exe"=dword:00000
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nope, hasn't worked since I added the keys.
Drat! Doing some other research stumbled on these and perhaps they'll be of help here...
What is your Operating System and version? My thinking is trying Restore Points if XP or ME prior to the time you noted the problem, but again, unclear.
Introduction to URL Security Zones - http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/templates.asp
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/templates.asp
How to strengthen the security settings for the Local Machine zone in Internet Explorer
http://support.microsoft.com/default.aspx?scid=833633
How to access a network resource that requires username and password authentication when your user account requires a smart card for interactive logon
http://support.microsoft.com/default.aspx?scid=kb;en-us;834432&Product=winxp
There are so many hits on queries relating to your issue and still numerous unknowns in terms of your environment, so will include the result in the hopes you can scan them quickly and choose those which apply for further possibilities.
http://support.microsoft.com/search/default.aspx?InCC_hdn=true&Catalog=LCID%3D1033%26CDID%3DEN-US-KB%26PRODLISTSRC%3DON&withinResults=&QuerySource=gASr_Query&Product=winxp&Queryc=http%3A%2F%2Fusername%3Apassword@mydomain.com&Query=http%3A%2F%2Fusername%3Apassword@mydomain.com&KeywordType=ALL&maxResults=150&Titles=false&numDays=&InCC=on
What is your Operating System and version? My thinking is trying Restore Points if XP or ME prior to the time you noted the problem, but again, unclear.
Introduction to URL Security Zones - http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/templates.asp
http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/templates.asp
How to strengthen the security settings for the Local Machine zone in Internet Explorer
http://support.microsoft.com/default.aspx?scid=833633
How to access a network resource that requires username and password authentication when your user account requires a smart card for interactive logon
http://support.microsoft.com/default.aspx?scid=kb;en-us;834432&Product=winxp
There are so many hits on queries relating to your issue and still numerous unknowns in terms of your environment, so will include the result in the hopes you can scan them quickly and choose those which apply for further possibilities.
http://support.microsoft.com/search/default.aspx?InCC_hdn=true&Catalog=LCID%3D1033%26CDID%3DEN-US-KB%26PRODLISTSRC%3DON&withinResults=&QuerySource=gASr_Query&Product=winxp&Queryc=http%3A%2F%2Fusername%3Apassword@mydomain.com&Query=http%3A%2F%2Fusername%3Apassword@mydomain.com&KeywordType=ALL&maxResults=150&Titles=false&numDays=&InCC=on
ASKER
Environment:
Windows XP - Pro 2002 SP1
IE - 6.0.2800.1106.xpsp2-030422
Update Versions: Sp1; Q832894
Thanks for your suggestions so far, still no go.
Windows XP - Pro 2002 SP1
IE - 6.0.2800.1106.xpsp2-030422
Update Versions: Sp1; Q832894
Thanks for your suggestions so far, still no go.
ASKER
YAHOO! I got it. Was a little wacky, but I had to close all explorer windows, went to ctrl-alt-del and axed the explorer process. Then restarted the explorer, and ran the registry entry, and it worked.
Thanks!
Thanks!
YAHOO, YAY and a YIPEE! This one was driving me a little nuts, made no sense but then been there before; sometimes it's not what is done but the order in which it is done. Crazy things like this do keep you going, no? I'm so pleased, thanks for the update and good news. You're right on! It was a little wacky. Had a friend recently with whom I worked to do troubleshooting and what should have worked just did not; the missing ingredient for him was to execute MULTIPLE reboots (6, I think .... go figure, lol).
Thank you also for the fine grade, earthman100.
":0) Asta
Thank you also for the fine grade, earthman100.
":0) Asta
Cd&