1

I'm using VBA to send a GET request using either a WinHttpRequest or an MSXML2.ServerXMLHTTP60 object (but I assume this would be the same even in a C# console app e.g.)

The GET request is over an intranet connection and uses windows credentials - if the correct credentials are supplied then we get a login option, if not we just get 401.

As the same user on the same machine, I have different luck depending on location. At home, it runs fine but in the office it doesn't work. I checked the HEAD request to the same URL like so

    Dim REQ As New MSXML2.ServerXMLHTTP60
    Call REQ.Open("HEAD", "https://TargetCompanyWebSite.co.uk/")
    Call REQ.Send

for the URL and I get this - this is the setup that works:

Cache-Control: private
Date: Tue, 01 Jun 2021 12:48:40 GMT
Content-Length: 5407
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=abcdefghijklmnopqrstuvwxyz; path=/; HttpOnly
Persistent-Auth: true
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge

however, in the office, where the connection doesn't work, I get:

Cache-Control: private
Date: Tue, 01 Jun 2021 12:52:24 GMT
Content-Length: 1293
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge

If I use the site in a browser it works fine wherever I am, but I'm trying to figure out how to get this working as a .net lib object (e.g. WinHttp.WinHttpRequest or MSXML2.ServerXMLHTTP60)

I'm finding things about WWW-Authenticate: Negotiate but no straight forward answer on whether I can just set my own headers?

Authentication issues with WWW-Authenticate: Negotiate

jamheadart
  • 5,047
  • 4
  • 32
  • 63
  • 1
    You are using a previously establish cookie in working code. If you delete the cookie you probably will not work in the good system. You probably either need to add HTTP Header to get working or the URL is missing parameters. – jdweng Jun 01 '21 at 13:11
  • Every server is different. So you need to verify the requirements of the server you are using to determine the parameters/headers. – jdweng Jun 01 '21 at 13:13
  • How did my original cookie - `Set-Cookie: ASP.NET_SessionId=abcdefghijklmnopqrstuvwxyz; path=/; HttpOnly` get set using VBA? Was that set from me visiting the site in Internet Explorer? I'm not setting it manually. I'm literally just sending a get request to "https://TargetCompanyWebSite.co.uk/"` – jamheadart Jun 01 '21 at 13:18
  • Yes. Using another app or webpage could setup the cookie. The HTTP Request will automatically recognize the destination IP and take an existing cookie. If you try existing code from another machine or with another users does it work? – jdweng Jun 01 '21 at 13:35
  • Another user is having the same issue but was using it fine last week. I don't quite understand that if they can visit the site on a browser why it doesn't work in the `winhttp` object. I guess I'll have to experiment. – jamheadart Jun 01 '21 at 13:37

0 Answers0