Solved

MSXML2.XMLHTTP fails in Windows 2003 but works OK in Windows 2000. How dow I fix this problem on the 2003?

Posted on 2004-08-10
10
1,613 Views
Last Modified: 2008-01-09
In my code I have a postXML java script function that works OK when my code is executed on a Windows 2000 server with IIS 5.0, however the same code does not work on a Windows 2003 server that  comes with iIIS 6.0 and msxml4 (sp 4) installed. Is this a 2003 setup/security problem, or, it is a java script problem?

function postXML (url, xmlDocument) {
   var httpRequest;
   try {
      httpRequest = new ActiveXObject('Msxml2.XMLHTTP');
      httpRequest.open('POST', url, false);
      httpRequest.send(xmlDocument);
      return httpRequest;
      }
   catch (e) {
     alert("(IE) - " + e);
     return null;
     }
   }      
</script>

I am not very familiar with Windows  2003, so please advise accordingly!
0
Comment
Question by:ablazso
  • 5
  • 4
10 Comments
 
LVL 26

Assisted Solution

by:rdcpro
rdcpro earned 230 total points
ID: 11762976
Ths is most certainly due to the fact that 2003 installs with very strict security.  I'm not sure exactly what your scenario is.  Are you running this code server-side (as in ASP or ASP.NET), or is this running in IE6 on the Windows 2003 box?  The server and client security models are different.  Also, the URL you are posting to, and the URL that serves the page must be from the same domain.  I'm assuming this is client-side code, because you're using the client-side version of the object.  In that case, I'm wondering why you're doing this on a server.   IE 6 is locked down pretty tight on Win2k3.

Regards,
Mike Sharp
0
 

Author Comment

by:ablazso
ID: 11764012
Yes my whole program is written in html and java script.  It was  running on a Linux server very well , but because I changed it  to convert the output to PDF, now with an embedded font, I decided to put it on our 2003 server that has a windows based HTML to PDF conversion routine. The PDF must be delivered to the client, so it may be printed.  Can you suggest me a better alternative? Would you like to any other part of this program?
0
 
LVL 26

Assisted Solution

by:rdcpro
rdcpro earned 230 total points
ID: 11765652
Well, the Msxml2.XMLHTTP object runs in Internet Explorer's security context, and is based on wininet.  You might try switching to the ServerXMLHTTP request object, which runs using winhttp, and has a separate TCP/IP stack.  It's also a lot more flexible.  But this is only a good idea if the javascript is actually running on the server, like for example it was running under windows scripting host.  But if I understand things, the client downloads an HTML page, which contains this javascript, and this is running under the client's browser, isn't it?  That means it's executing on the client operating system, not your server.  In which case, I'd look for cross-domain security issues if the URL points to a different machine than your Windows 2003 server.

Regards,
Mike Sharp
0
 

Author Comment

by:ablazso
ID: 11767496
Yes, you are correct the java scrip runs on the client's browser, but it works correctly, as is, if it is from the Linux server or Windows 2000 server. I would leave the program on either of these, if it were not for the HTML to PDF conversion with embedded fonts I absolutely must have. Would you like to see the two html programs? I am willing to e-mail it to you or use whatever delivery means you prefer!@
0
 
LVL 26

Assisted Solution

by:rdcpro
rdcpro earned 230 total points
ID: 11768069
I guess it's worth a try.  Zip them up and email them to rdcpro@hotmail.com

Regards,
Mike Sharp
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 53

Assisted Solution

by:COBOLdinosaur
COBOLdinosaur earned 20 total points
ID: 11768568
Could be a version issue Try these:
      new ActiveXObject("Microsoft.XMLHTTP");
or
      new ActiveXObject("MSXML2.XMLHTTP.4.0");

Cd&
0
 

Author Comment

by:ablazso
ID: 11768691
Ok, I shall!
Unfortunatelly, the server is down for some software and hardware upgrage today!
0
 
LVL 26

Assisted Solution

by:rdcpro
rdcpro earned 230 total points
ID: 11768946
I thought about that possibility, but the code executes on the client.  

I would stay away from Microsoft.XMLHTTP as it's quite old.

Regards,
Mike Sharp
0
 

Author Comment

by:ablazso
ID: 11769759
OK I am willing to...! But what should I replace it with? Can you point me to some write-up or documentation on some newer stuff?
On the other hand, my simplistic programs works just fine!  Why finx if it ain't broke?
0
 
LVL 26

Accepted Solution

by:
rdcpro earned 230 total points
ID: 11778243
Yes, I’m pretty certain it’s a cross-domain data access problem, and it wouldn’t matter whether it was Win2k3 or some other machine. You can find out for sure by modifying your browser settings to prompt for cross-domain access.  

You can visit this page:
http://rdcpro.com/Members/rdcpro/tools/

where I’ve placed a tool that uses an XMLHTTP request to retrieve (by default) the Google home page.  If you have “prompt” enabled, when you click “Load HTML” you’ll see a popup that says:

“This page is accessing information that is not under its control.  This poses a security risk. Do you want to continue?”

If you answer no, or if you have cross-domain data access disabled, you’ll see a differnt dialog that's generated by my code in a try-catch block.

In order to fix this, you’ll have to put some server-side code on the Win2k3 box.  This will make a server-side XMLHTTP request using the ServerXMLHTTPRequest object, passing the credentials to the Linux box, and retrieve the session cookie that the linux box returns (or whatever it does to authenticate the browser).  Then you can explicitly set this on the response to the client.  It’s a pain, but I think it’s the only realistic approach.  Essentially you have to aggregate all the service calls to the Win2k3 box.  

There *might* be some DNS trickery you can use, though.  It seems to me here at work we used DNS to make the browser think a request was coming from our domain…It’s worth looking into.

Regards,
Mike Sharp
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The Problem How to write an Xquery that works like a SQL outer join, providing placeholders for absent data on the outer side?  I give a bit more background at the end. The situation expressed as relational data Let’s work through this.  I’ve …
I was working on a PowerPoint add-in the other day and a client asked me "can you implement a feature which processes a chart when it's pasted into a slide from another deck?". It got me wondering how to hook into built-in ribbon events in Office.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now