Hi, I am trying to integrate payments on my site with Google Checkout. When transactions are processed Google sends an XML post to a page on the site. Unfortunately the page returns a HTTP 401 : You are not authorized to view this page. You do not have permission to view this directory or page using the credentials that you supplied. Google's help pages have the following info. The HTTP 401 unauthorised error you have received means you have not properly set up HTTP basic authentication on your server. Google prefaces callbacks and notifications with HTTP basic authentication, using your Merchant ID as a username and your Merchant Key as a password. If your server does not recognise the credentials on the messages sent from Google Checkout, you will receive an error message. Please ensure you have configured the correct Merchant ID and Merchant Key as your basic authentication username and password. If you need help configuring HTTP basic authentication in your environment, please contact your hosting provider.</BLOCKQUOTE> Any ideas how I can sort this out? Thanks Sumeet
According to the Google Checkout documentation: To receive notifications and other callbacks from Google, you must do the following: Specify an HTTPS callback URL secured by SSL v3 or TLS using a valid certificate from a major Certifying Authority. Only accept messages that are authenticated by HTTP Basic Authentication, using your Merchant ID and Merchant Key as the username and password. Additionally, we strongly recommend you validate (both syntactically and semantically) the messages that are sent to your callback URL before processing them. We cannot support the Basic Authentication of the callback page, because you will not be able to create a Windows user using the Merchant ID and the Merchant Key as the password. The User Manager in the control panel has certain restrictions on the username and password format. Therefore, the work around is as follows: 1. Create a special folder for the callback page, and upload the callback page there. 2. Create a support ticket to have our system administrators disable Basic Authentication on that folder only. This workaround does remove a layer of security (basic authentication). However, your callback page should also programmatically check for the validity of the Merchant ID and Merchant Key that was passed in the HTTP header before processing the request.
Hi Bruce, Thanks for the reply. I have decided to ditch Google in favour of PayPal which works beautifully. Google just had too many hoops to jump through for my liking. However, they are offering free transactions till 2008, some other members may find this an incentive. Regards, Sumeet
I am trying to integrate google checkout using asp classic. Does this work around apply to my situation as well? I am getting an error below. It's call a function which I also include below. The line that is failed 221is 'xmlHttp.send request' below. Also, I am using verisgn class 3 ssl cert but i dont think it's an ssl issue. ---------------- msxml3.dll error '80072f05' The date in the certificate is invalid or has expired gatewayGoogleApi.asp, line 221 ---------------------------------- Function sendRequest(request, strPostUrl) ' Check for errors Dim strFunctionName Dim errorType strFunctionName = "sendRequest()" ' Check for missing parameters errorType = "MISSING_PARAM" checkForError errorType, strFunctionName, "request", request checkForError errorType, strFunctionName, "strPostUrl", strPostUrl checkForError errorType, strFunctionName, "strMerchantId", strMerchantId checkForError errorType, strFunctionName, "strMerchantKey", strMerchantKey ' Define objects used to send the HTTP request Dim xmlHttp Dim strAuthentication Dim bCheckout ' Log the outgoing message logMessage logFilename, request ' Create the XMLHttpRequest object Set xmlHttp = Server.CreateObject("Msxml2.ServerXMLHTTP.3.0") ' The HTTP request method is POST xmlHttp.open "POST", strPostUrl, False ' Do NOT ignore Server SSL Cert Errors Const SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS = 2 Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056 xmlHttp.setOption SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS, _ (xmlHttp.getOption(SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS) - _ SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS) bCheckout = InStr(strPostUrl, "checkout") ' This block executes if this is a Checkout API request If bCheckout <> 0 Then ' Set HTTP header xmlHttp.setRequestHeader "Content-Type", _ "application/x-www-form-urlencoded" ' This block executes if this is not a Checkout API request Else ' Build HTTP Basic Authentication scheme strAuthentication = createHttpBasicAuthentication(strMerchantId, _ strMerchantKey) ' Set HTTP headers xmlHttp.SetRequestHeader "Authorization", strAuthentication xmlHttp.SetRequestHeader "Content-Type", "application/xml" xmlHttp.SetRequestHeader "Accept", "application/xml" End If ' Transmit the request xmlHttp.send request ' Log the HTTP response logMessage logFilename, xmlHttp.responseText ' Return the response from the Google server sendRequest = xmlHttp.responseText ' Release the object used to send the request Set xmlHttp = Nothing End Function
Bruce, Since we are now running IIS7 are there any changes to supporting the Google callback requirements?? Seems to be a litttle crazy to have to lower security requiremnts in order to accept Credit Cards?? Pleas advise exact procedures to solve the dreaded 401 error/Google Answer page issue. Therefore, the work around is as follows: 1. Create a special folder for the callback page, and upload the callback page there. 2. Create a support ticket to have our system administrators disable Basic Authentication on that folder only. This workaround does remove a layer of security (basic authentication). However, your callback page should also programmatically check for the validity of the Merchant ID and Merchant Key that was passed in the HTTP header before processing the request.
You are not sacraficing security if you disable Basic Authentication. If you are on IIS7, you do not need to create a ticket to set this up. You can simply use the IIS 7.0 manager to disable basic authentication on the directory you specified. See http://kb.discountasp.net/article.aspx?id=10575