|
Home > Archive > IIS Server Security > August 2004 > Double Hop issue? HELP!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Double Hop issue? HELP!
|
|
| Anthony 2004-08-18, 8:48 pm |
| sorry for the x-post, I didn't recieve a response and thought I might have
been in the wrong group... thanks..
---
I am trying to get a users DN by translating the LOGON_USER NT4 format
variable. I am ONLY using windows authentication for security settings:
This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
down.. feel free to paste the code for your own testing.. it works:
----------------- begin paste-- -----------
<%
' logon_user will be in DOMAIN\LANID format (NT4 Format)
logonuser = Request.ServerVariables("LOGON_USER")
'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,
DC=COM
sUserDN = getdn(logonuser)
response.write sUserDN
' and getdn function looks like the following
public function getDN(NT4Name)
' NT4Name DOMAIN\LANID format (NT4 Format)
' Function returns DN from NT4 Name
' Gets the users DN from the DOMAIN/NT Name
sDC = "DC01"
const ADS_NAME_INITTYPE_DOMAIN = 1
const ADS_NAME_INITTYPE_SERVER = 2
const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_NT4 = 3
Set nto = CreateObject("NameTranslate")
'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
nto.Init ADS_NAME_INITTYPE_SERVER, sDC
nto.Set ADS_NAME_TYPE_NT4, NT4Name
sUserDN = nto.Get(ADS_NAME_TYPE_1779)
getDN = sUserDN
end function
%>
-------------- end paste -----
The error I am getting is the following.. :
error '80090332'
The security context could not be established due to a failure in the
requested quality of service (e.g. mutual authentication or delegation).
-----------
If I am on a Windows 2000 Domain member or higher this works fine.. (I
understand it works when Kerberos Authentication is ok) I have trusted the
IIS server for kerberos authentication so it's working fine provided
Kerberos Authentication is good...
The problem is IF the authentication drops down to NTLM (When using NT4 or a
non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
the above error.. anyway around this??
So, Is there anyway to get a userDN another way? I know my problem is the
local IUSR_Machinename account doesn't have access to the LDAP directory...
so I was hoping to pass credentials through to the DC.
Are there other ways to accomplish this task? Once the DN is known I need
to check their group memberships to determine if they have access to a
particular function within an .asp so I'd have to connect to the ldap
provider multiple times.. not just this once..
Lastly, if there is no way to allow for this to work with the above code
snip.. can I at least trap that error to display "Kerberos not working"
instead of that ugly mess for users? I can't seem to trap that error...
Any help would be much appreciated.. Thank you
| |
| Ken Schaefer 2004-08-19, 2:49 am |
| Options:
a) Use basic authentication + SSL to get around the NTLM auth issue
b) Use something other than ASP to query directory (as ASP impersonates by
default). ASP.NET on the other hand can do Windows auth without
impersonating, allowing you to run the process as an appropriately
privileged account regardless of the auth type
c) To trap errors in VBScript - no elegant way. All you have is "On Error
Resume Next", then check the Err object to see if there's anything in there.
Alternatively, create a custom 500-100 error handler page in IIS, and use
the ASPError object to get the details of the error. Again ASP.NET has much
better handling of errors.
Cheers
Ken
"Anthony" <antgoodlife@nospam.comcast.net> wrote in message
news:eBwdSjYhEHA.3912@TK2MSFTNGP11.phx.gbl...
> sorry for the x-post, I didn't recieve a response and thought I might have
> been in the wrong group... thanks..
>
> ---
>
> I am trying to get a users DN by translating the LOGON_USER NT4 format
> variable. I am ONLY using windows authentication for security settings:
> This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
> down.. feel free to paste the code for your own testing.. it works:
>
> ----------------- begin paste-- -----------
> <%
> ' logon_user will be in DOMAIN\LANID format (NT4 Format)
> logonuser = Request.ServerVariables("LOGON_USER")
>
> 'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,
DC=COM
> sUserDN = getdn(logonuser)
> response.write sUserDN
>
> ' and getdn function looks like the following
>
> public function getDN(NT4Name)
> ' NT4Name DOMAIN\LANID format (NT4 Format)
> ' Function returns DN from NT4 Name
>
> ' Gets the users DN from the DOMAIN/NT Name
>
> sDC = "DC01"
>
> const ADS_NAME_INITTYPE_DOMAIN = 1
> const ADS_NAME_INITTYPE_SERVER = 2
> const ADS_NAME_INITTYPE_GC = 3
>
> const ADS_NAME_TYPE_1779 = 1
> const ADS_NAME_TYPE_NT4 = 3
>
> Set nto = CreateObject("NameTranslate")
> 'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
> nto.Init ADS_NAME_INITTYPE_SERVER, sDC
> nto.Set ADS_NAME_TYPE_NT4, NT4Name
> sUserDN = nto.Get(ADS_NAME_TYPE_1779)
>
> getDN = sUserDN
> end function
> %>
>
> -------------- end paste -----
>
> The error I am getting is the following.. :
>
> error '80090332'
> The security context could not be established due to a failure in the
> requested quality of service (e.g. mutual authentication or delegation).
>
> -----------
>
> If I am on a Windows 2000 Domain member or higher this works fine.. (I
> understand it works when Kerberos Authentication is ok) I have trusted
> the
> IIS server for kerberos authentication so it's working fine provided
> Kerberos Authentication is good...
>
> The problem is IF the authentication drops down to NTLM (When using NT4 or
> a
> non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
> the above error.. anyway around this??
>
> So, Is there anyway to get a userDN another way? I know my problem is the
> local IUSR_Machinename account doesn't have access to the LDAP
> directory...
> so I was hoping to pass credentials through to the DC.
>
> Are there other ways to accomplish this task? Once the DN is known I need
> to check their group memberships to determine if they have access to a
> particular function within an .asp so I'd have to connect to the ldap
> provider multiple times.. not just this once..
>
> Lastly, if there is no way to allow for this to work with the above code
> snip.. can I at least trap that error to display "Kerberos not working"
> instead of that ugly mess for users? I can't seem to trap that error...
>
> Any help would be much appreciated.. Thank you
>
>
>
>
>
>
|
|
|
|
|