I've created a task to send an HTTP post request to a remote server. The request has to get through our corporate proxy server with one set of credentials, and then present a different set of credentials at the remote server to get access to the web page.

I have configured the proxy settings on an HTTP task, and confirmed that that much is working by creating and testing a task to get a google page.

I created a credential in VisualCron for the remote server, using the IP address as the domain - normally, when I enter my username and password in response to the security popup, I don't specify a domain, and this server doesn't have a registered domain name, although it does have a pseudodomain with the hosting service.

When I try to test my VisualCron task using this credential and a post, I get an http 401 (Unauthorized) error, which is the same error that I would get if I cancelled out of the security dialog when fetching the page manually.

What am I doing wrong?

Thanks,

Rebeccah

Try using an empty domain in the Credential.

---

Nope, that didn't help either.

Rebeccah

Another weird thing - on my display of jobs and tasks, I have several copies of this task with different credentials that I have tried. When I first opened up the UI this morning, all of the ones I was trying yesterday say "Success" for the result, although they still show the same error output. Why would that be? When I test them again, they go back to showing the failed status.

Rebeccah

That could happen if the Service (or machine) has been rebooted.

Is there any network administrator that could debug the login failure?

---

I am the admin of the virtual private server running the web server (IIS) that is denying the login. What would you like me to check? The logon works fine when I connect directly using the browser. If there is something that the VPS admins need to check, I will need to submit a ticket, and I will need to be pretty specific about what I want them to do, since the symptom is in my application.

Rebeccah

OK, I just checked to make sure that logon successes and failures are both being audited on the server. Now, when I attempt to run this task, I get the following three security event log "Success Audit" entries:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_TEMPLATE
Source Workstation: REMOTEMSS
Error Code: 0x0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .



Logon attempt using explicit credentials:
Logged on user:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon GUID: -
User whose credentials were used:
Target User Name: IUSR_TEMPLATE
Target Domain: REMOTEMSS
Target Logon GUID: -

Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 13884
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .


Successful Network Logon:
User Name: IUSR_TEMPLATE
Domain: REMOTEMSS
Logon ID: (0x0,0x6A48F21C)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: REMOTEMSS
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 13884
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp .




NOTE: The credentials I am supplying through VisualCron should NOT be those of IUSR_TEMPLATE. That's the anonymous web user, and it does not have permissions on my web site.

Thanks,

Rebeccah

In contrast, when I (successfully) connect manually using the browser, I get three Success Audit event notifications, and they *do* contain the currect user information.

Rebeccah

We did some tests against our web server. What you put in domain does not really matter. What mattered in our tests that we used the direct url and that it does not contain any redirects. For example:

http://mysite.com/admin/  - does not work

http://mysite.com/admin/adminpage1.aspx  - work

---

My URL is of the form
http://ip_address/context-path/webpage.html


Rebeccah

Is this really windows authentication or authentication in a form?

---

IIS is annoying. It's Windows authentication.

Rebeccah

And this HTML page is not redirecting you to any other url when visiting that page`?

---

It's not *redirecting* (i.e., sending an http redirect status code that the browser follows to load another page), but it is forwarding (on the back end) to a tomcat web application.

Rebeccah

Can you send a screen shot of the Authentication settings in IIS on that page/folder?

---

to support@visualcron.com?

There's no single "authentication" page that I see in the IIS configuration for the page, I'll have to look and see what I did to set up the configuration. It was a PIA, involving creating a group that had the essential permissions that IUSR_TEMPLATE has, taking the eprmissions away from IUSR_TEMPLATE itself (or perhaps disabling it, I don't remember), and then making my new user a member of that group.

Rebeccah


Rebeccah

Wait, here it is, I found the page you asked for. I'll attach it here.

Rebeccah

We use the same settings. I am not sure what happens here.

Can you try to create a local admin account on web server and then use that account instead?

---

I already did. It doesn't work, either.

Rebeccah

I'm setting up Wireshark right now on my VisualCron server, and I'm going to capture some packet traffic. Perhaps that will help sort things out.

Rebeccah

Hmm..do you have another server you could test this on?

I believe the correct authentication is sent as it worked here. Which IIS version do you have?

---

It's IIS 6.0.

I don't have another server set up with IIS, unfortunately.

Rebeccah

The problem is at the proxy authentication level (Thanks, Wireshark!)

When I go to the page with IE, the browser sends this:

GET http://<ip address stripped for privacy>/<context-path>/<webpage>.html HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: <destination ip address stripped>
Cookie: __utma=<cookie value a>; __utmb=<cookie value b>; __utmz=<cookie value z>


Whereas, VisualCron sends this:

GET http://<ip address stripped for privacy>/<context-path>/<webpage>.html HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: VisualCron
Host: <destination ip address stripped>
Proxy-Connection: Close



Both get a similar response from the proxy server, except that when I use IE, the proxy server sends back
Proxy-Connection: Keep-Alive

whereas with VisualCron, it sends back
Proxy-Connection: close


In the IE case, my browser sends another request with a Proxy-Authorization value, whereas with VisualCron, that's the end of the conversation (presumably because VisualCron's original request included Proxy-Connection: Close


Rebeccah

Thanks for the info. Have you tried using the same proxy settings in VisualCron (because VisualCron does not automatically pick up IE proxy settings)?

---

Yes, I've configured the proxy settings in VisualCron. There are too places I've found where they acan be configured - one for the VisualCron application, which gets used for checks for updates, and one for individual HTTP tasks. I have the proxy configured identically in both places.

The settings include proxy type (HTTP, SOCKS4, or SOCKS5), IP address, port number, credentials yes/no, and domain/username/password for the credentials. I don't see anywhere to specify whether to set the proxy connection to close or keep-alive. I have the proxy set to HTTP. Should it possibly be one of the SOCKS proxies? I was able to get the checks for update working with HTTP proxy, so I figured that was the right one, but perhaps not.

Rebeccah