Hi folks,
having a rather bad day with authentication here.
Essentially i'm using my global.asa file to check some things in my active directory, such as email address of the user. Im doing this with the following code
<%
strUserName = Request.ServerVariables("auth_user")
strUserNamea = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\"))
response.write(strUsernamea)
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select mail FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsernamea+"'"
Set rs = Com.Execute
response.write rs("mail")
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
%>
im currently running IIS to host the sites, with anonymous access off and Integrated windows authentication ON.
So, the current situation is this.
If i stand at the server and log in using my windows account, and use the IE browser installed there, everything works as it should and it pulls back the email address from the AD server.
If i go to any other machine on the network and repeat the same, i get a "table not found" message back. This appears to simply be an authentication problem.
If i DISABLE integrated authentication and again try accessing the site from any other machine i get a logon prompt to enter credentials. If i enter the correct credentials the page works fine and the email address is returned correctly. So the code is correct for the most part (I THINK!)
However, i'd rather not have that logon prompt appear for every user trying to access the site. Can anyone shed any light on how i might get a client machine to authenticate properly and automatically using integrated windows authentication ??
Incidentally the server is running IIS 5.1
Thanks in advance,
AllyIncidentally i put this in the server side programming rather than the ASP forum as i think its more of an IIS issue, but apologies if it needs to be moves
You aren't passing any login credentials in with the Active Directory Connection.
I think AD is a lot like typical LDAP connections and here's a sample of one of my LDAP connections via ASP...
Set LDAPtest = GetObject("LDAP:")
Set ADSObject = LDAPtest.OpenDSObject("LDAP://10.15.2.16:389/o=SRVNET","cn=ichainproxy,ou=Services,o=SRVNET", strPass, 0)
Set MembersContainer = ADSObject.GetObject ("organizationalUnit","ou=CUSTOMERS")
Set User = MembersContainer.GetObject ("inetOrgPerson", "cn=" & username)
getEdirAttribute = User.Get(attribute)
...in this code, you can see ichainproxy is the username and then the value in strPass is the password for that account.
Like I said, I'm pretty sure AD is a lot like typical LDAP but I'm not 100% about this but it seems to fit your problem with being logged in works but not, doesn'tyou must enable WMI scripting from IIS.
second off only an administrator account can query ADSI.
You can fix this by setting the account of the website or pool as an ADMIN.
However you create a security breach, as doing so by passes security for frontpage.allowing anyone to access the site to edit it,
having a rather bad day with authentication here.
Essentially i'm using my global.asa file to check some things in my active directory, such as email address of the user. Im doing this with the following code
<%
strUserName = Request.ServerVariables("auth_user")
strUserNamea = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\"))
response.write(strUsernamea)
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select mail FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsernamea+"'"
Set rs = Com.Execute
response.write rs("mail")
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
%>
im currently running IIS to host the sites, with anonymous access off and Integrated windows authentication ON.
So, the current situation is this.
If i stand at the server and log in using my windows account, and use the IE browser installed there, everything works as it should and it pulls back the email address from the AD server.
If i go to any other machine on the network and repeat the same, i get a "table not found" message back. This appears to simply be an authentication problem.
If i DISABLE integrated authentication and again try accessing the site from any other machine i get a logon prompt to enter credentials. If i enter the correct credentials the page works fine and the email address is returned correctly. So the code is correct for the most part (I THINK!)
However, i'd rather not have that logon prompt appear for every user trying to access the site. Can anyone shed any light on how i might get a client machine to authenticate properly and automatically using integrated windows authentication ??
Incidentally the server is running IIS 5.1
Thanks in advance,
AllyIncidentally i put this in the server side programming rather than the ASP forum as i think its more of an IIS issue, but apologies if it needs to be moves
You aren't passing any login credentials in with the Active Directory Connection.I think AD is a lot like typical LDAP connections and here's a sample of one of my LDAP connections via ASP...
Set LDAPtest = GetObject("LDAP:")
Set ADSObject = LDAPtest.OpenDSObject("LDAP://10.15.2.16:389/o=SRVNET","cn=ichainproxy,ou=Services,o=SRVNET", strPass, 0)
Set MembersContainer = ADSObject.GetObject ("organizationalUnit","ou=CUSTOMERS")
Set User = MembersContainer.GetObject ("inetOrgPerson", "cn=" & username)
getEdirAttribute = User.Get(attribute)
...in this code, you can see ichainproxy is the username and then the value in strPass is the password for that account.
Like I said, I'm pretty sure AD is a lot like typical LDAP but I'm not 100% about this but it seems to fit your problem with being logged in works but not, doesn'tyou must enable WMI scripting from IIS.
second off only an administrator account can query ADSI.
You can fix this by setting the account of the website or pool as an ADMIN.
However you create a security breach, as doing so by passes security for frontpage.allowing anyone to access the site to edit it,