Hi,
I am trying to integrate payments on my site with Google Checkout. When transactions are processed Google sends an XML post to a page on the site. Unfortunately the page returns a HTTP 401 : You are not authorized to view this page. You do not have permission to view this directory or page using the credentials that you supplied.

Google's help pages have the following info.
[b]


The HTTP 401 unauthorised error you have received means you have not properly set up HTTP basic authentication on your server.


Google prefaces callbacks and notifications with HTTP basic authentication, using your Merchant ID as a username and your Merchant Key as a password. If your server does not recognise the credentials on the messages sent from Google Checkout, you will receive an error message.


Please ensure you have configured the correct Merchant ID and Merchant Key as your basic authentication username and password. If you need help configuring HTTP basic authentication in your environment, please contact your hosting provider.</BLOCKQUOTE>
Any ideas how I can sort this out?
Thanks
Sumeet

According to the Google Checkout documentation:

To receive notifications and other callbacks from Google, you must do the following:

Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid certificate from a major Certifying Authority.

Only accept messages that are authenticated by HTTP Basic Authentication, using your Merchant ID and Merchant Key as the username and password.

Additionally, we strongly recommend you validate (both syntactically and semantically) the messages that are sent to your callback URL before processing them.

We cannot support the Basic Authentication of the callback page, because you will not be able to create a Windows user using the Merchant ID and the Merchant Key as the password. The User Manager in the control panel has certain restrictions on the username and password format.

Therefore, the work around is as follows:
1. Create a special folder for the callback page, and upload the callback page there.
2. Create a support ticket to have our system administrators disable Basic Authentication on that folder only.

This workaround does remove a layer of security (basic authentication). However, your callback page should also programmatically check for the validity of the Merchant ID and Merchant Key that was passed in the HTTP header before processing the request.

Hi Bruce,

Thanks for the reply.

I have decided to ditch Google in favour of PayPal which works beautifully.

Google just had too many hoops to jump through for my liking. However, they are offering free transactions till 2008, some other members may find this an incentive.

Regards,

Sumeet

Yeah.. i find that Paypal is better than Google Checkout as far as integration goes.

I am trying to integrate google checkout using asp classic. Does this work around apply to my situation as well?

I am getting an error below. It's call a function which I also include below. The line that is failed 221is 'xmlHttp.send request' below.

Also, I am using verisgn class 3 ssl cert but i dont think it's an ssl issue.

----------------




msxml3.dll error '80072f05'


The date in the certificate is invalid or has expired
gatewayGoogleApi.asp, line 221

----------------------------------
Function sendRequest(request, strPostUrl)
' Check for errors
Dim strFunctionName
Dim errorType
strFunctionName = "sendRequest()"
' Check for missing parameters
errorType = "MISSING_PARAM"
checkForError errorType, strFunctionName, "request", request
checkForError errorType, strFunctionName, "strPostUrl", strPostUrl
checkForError errorType, strFunctionName, "strMerchantId", strMerchantId
checkForError errorType, strFunctionName, "strMerchantKey", strMerchantKey
' Define objects used to send the HTTP request
Dim xmlHttp
Dim strAuthentication
Dim bCheckout
' Log the outgoing message
logMessage logFilename, request
' Create the XMLHttpRequest object
Set xmlHttp = Server.CreateObject("Msxml2.ServerXMLHTTP.3.0")
' The HTTP request method is POST
xmlHttp.open "POST", strPostUrl, False
' Do NOT ignore Server SSL Cert Errors
Const SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS = 2
Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056
xmlHttp.setOption SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS, _
(xmlHttp.getOption(SXH_OPTION_IGNORE_SERVER_SSL_CE RT_ERROR_FLAGS) - _
SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS)
bCheckout = InStr(strPostUrl, "checkout")
' This block executes if this is a Checkout API request
If bCheckout <> 0 Then
' Set HTTP header
xmlHttp.setRequestHeader "Content-Type", _
"application/x-www-form-urlencoded"
' This block executes if this is not a Checkout API request
Else
' Build HTTP Basic Authentication scheme
strAuthentication = createHttpBasicAuthentication(strMerchantId, _
strMerchantKey)
' Set HTTP headers
xmlHttp.SetRequestHeader "Authorization", strAuthentication
xmlHttp.SetRequestHeader "Content-Type", "application/xml"
xmlHttp.SetRequestHeader "Accept", "application/xml"

End If
' Transmit the request
xmlHttp.send request
' Log the HTTP response
logMessage logFilename, xmlHttp.responseText
' Return the response from the Google server
sendRequest = xmlHttp.responseText
' Release the object used to send the request
Set xmlHttp = Nothing
End Function

Oddly each time I've seen this the fault was the wrong date on the persons computer.

Bruce,

Since we are now running IIS7 are there any changes to supporting the Google callback requirements?? Seems to be a litttle crazy to have to lower security requiremnts in order to accept Credit Cards??

Pleas advise exact procedures to solve the dreaded 401 error/Google Answer page issue.

Therefore, the work around is as follows:
1. Create a special folder for the callback page, and upload the callback page there.
2. Create a support ticket to have our system administrators disable Basic Authentication on that folder only.

This workaround does remove a layer of security (basic authentication). However, your callback page should also programmatically check for the validity of the Merchant ID and Merchant Key that was passed in the HTTP header before processing the request.

You are not sacraficing security if you disable Basic Authentication.

If you are on IIS7, you do not need to create a ticket to set this up. You can simply use the IIS 7.0 manager to disable basic authentication on the directory you specified. See http://kb.discountasp.net/article.aspx?id=10575