Version 1 of AuthenticatedHttpOnWindows

Updated 2006-03-31 09:08:24

Hi! This is my first entry on that wiki so formatting probably won't be perfect. The problem I had to solve was to access an intranet webserver (with my own contents, a database inside) without asking the user for an extra password. So, this server (apache) was integrated into our normal windows authentication system that is, the microsoft kerberos authentication and I had to make use of that. As it turned out, I could use Tcl in its finest tradition as a glue language and utilize windows as it is for all the authentication stuff. Enter WinHTTP. This is a microsoft provided API for use with non-.NET applications and scripts. The script interface is a COM component called WinHttpRequest and can be accessed using tcom, which is contained in the ActiveTcl distribution. A small tcl script that accesses an authenticated website thus looks like this:

   #We need tcom
           package require tcom

   #set the test URL
           set MyUrl "http://myintranetwbsite"

   #Start up the component
           set WinHttpComp [::tcom::ref createobject "WinHttp.WinHttpRequest.5.1"]

   #Create the request
           $WinHttpComp Open "GET" $MyUrl 0

   #If WinHttp thinks this is not an intranet website, set security to low.
           $WinHttpComp SetAutoLogonPolicy 0

   #Send the Request, doing all the authentication under the hood
           $WinHttpComp Send

   tk_messageBox -type ok -title "Status" -message "[$WinHttpComp Status]\n[$WinHttpComp StatusText]"
   tk_messageBox -type ok -title "Result" -message "[$WinHttpComp ResponseText]"

Assuming your company uses kerberos (which they ought to) then security "low" does not mean that

  • you can access protected sites with the wrong credentials or
  • your password will be sent in the clear.

What happens is that your encrypted ticket is sent to the server. However, if the server isn't authenticated to your KDC (something your IT department is supposed to guarantee) it can't do anything with it, so it's a bit of a paranoidal precaution that microsoft recommends.

The WinHttp documentation is here:

The kerberos website is

Stuff about microsofts kerberos implementation is here:

Category Internet Category Networking