FIX: Returning User Name and Password from IAuthenticate Fails

• Microsoft ActiveX SDK 1.0

SYMPTOMS

In order to access a secured Internet resource via a URL moniker, a host must implement the IAuthenticate interface on the same object that exposes IBindStatusCallback. The documentation on IAuthenticate in the ActiveX SDK indicates that there are two possible ways to implement IAuthenticate:

1. Return a valid HWND to serve as the parent HWND for a default authentication dialog box.

2. Return a valid user name and password.

CAUSE

When authentication is required to access an Internet resource, the server may have replied to the client with some data indicating the failure to access the desired data. If, for example the client makes an HTTP request, the server typically replies with a boilerplate HTML page. It is the client's responsibility to completely read all this data from the socket before attempting to re-send the request with the correct authentication information. There is a bug in Wininet.dll that fails to do this.

This problem does not occur when IAuthenticate::Authenticate returns a valid HWND to Urlmon.dll because internally Urlmon.dll calls the WININET API InternetErrorDlg() to retrieve authentication information from the user. In addition to obtaining a user name and password, InternetErrorDlg() drains the socket of any extraneous data on behalf of Urlmon.dll.

STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. This problem has been fixed in Internet Explorer 4.0.

REFERENCES

ActiveX SDK online documentation

For additional information, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q156905
   TITLE     : How To Use IAuthenticate to Bind to a Secured HTML Page

Keywords          : AXSDKUrlMon kbdsi
Technology        : kbInetDev
Version           : 1.0
Platform          : WINDOWS
Issue type        : kbbug
Solution Type     : kbfix