|
Home > Archive > IIS Server Security > July 2005 > Remote user authentication question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Remote user authentication question
|
|
| A.Klimkin 2005-07-27, 7:51 am |
| Hello, NG
I'm a beginner web developer, so please be patient on answering my question
:-)
I've IIS6 web server and some plain ASP web application. IIS server and all
my clients all running within same AD domain. All cients running IE6SP1.
I want to generate different html output for remote users depending on what
particular security group they belong to. I disabled anonymous access to my
asp files and allowed NTLM client authentication.
Now I've got remote user name via Request.ServerVariable("REMOTE_USER"). And
the question is how can I find (within my plain ASP code) if this user
belongs to some local (or domain) security group ('Administrators', for
example)?
Thanks anyone for the input.
Regards,
Andrew
| |
| Tom Kaminski [MVP] 2005-07-27, 5:54 pm |
| "A.Klimkin" <aklimkin at mail dot ru> wrote in message
news:eZzhOBpkFHA.2484@TK2MSFTNGP15.phx.gbl...
> Hello, NG
>
> I'm a beginner web developer, so please be patient on answering my
> question :-)
> I've IIS6 web server and some plain ASP web application. IIS server and
> all my clients all running within same AD domain. All cients running
> IE6SP1.
> I want to generate different html output for remote users depending on
> what particular security group they belong to. I disabled anonymous access
> to my asp files and allowed NTLM client authentication.
> Now I've got remote user name via Request.ServerVariable("REMOTE_USER").
> And the question is how can I find (within my plain ASP code) if this user
> belongs to some local (or domain) security group ('Administrators', for
> example)?
>
> Thanks anyone for the input.
Check this out:
http://www.15seconds.com/issue/020130.htm
See 5.2 ...
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
| |
| A.Klimkin 2005-07-28, 7:50 am |
| Thanks for pointig me a direction!
But this code isn't working for me. Darn.
Specifically:
5.1 Display All Users in a Group
Sub PullAllUserFromGroup(strDomain,strGroup)
Dim Group
Dim User
Set Group = GetObject("WinNT://" & strDomain & "/" & strGroup &
",group")
For Each User in Group.Members
Response.Write User.Name
Next
End SubWorks great, but this isn't what I want. Let's see.
'PullAllUserFromGroup ".","Administrators"' returns me 'Administrator',
'Domain Admins' - and that's right, but that's all.
What I really want to know, whether remote user belongs to local
Administrators group, being authenticated. In other words, if the remote
user explicitely listed in this group OR if it's an implicit member by group
nesting.
Future investigations shows many limitations of this approach that make the
hole task close to impossible to achieve. I mean that (as MSDN says)
IADsGroup.IsMember method determines if a directory service object is an
immediate member of the group, so this method does not verify membership in
any nested groups. And another thing, the IADsGroup.IsMember method does not
support using a SID ADsPath for verification if a member belongs to a group
through the WinNT provider.
I tried sligtly different method with the same code:
'PullAllUserFromGroup "MyDomain","Domain Admins"'
But I always got '80070035' error here while calling Set Group =
GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
I don't know what does this error mean exactly, but suppose that WinNT://
provider isn't work properly with AD domain.
I tried to use LDAP:// provider (of course, using appropriate moniker string
syntax) with nearly same result, but different error code '80005000'
E_ADS_BAD_PATHNAME, but I 100% sure that the AD path specified is VERY good.
Because when I call the same code through WSH it works great. In this case I
suppose there are some security (or other) limitations of calling this code
from withih IIS server context vs. interactively logged on domain user
context.
If anyone has any suggestions, you're still welcome ;-)
Regards,
Andrew
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:uPXOH$rkFHA.3436@tk2msftngp13.phx.gbl...
> "A.Klimkin" <aklimkin at mail dot ru> wrote in message
> news:eZzhOBpkFHA.2484@TK2MSFTNGP15.phx.gbl...
>
> Check this out:
> http://www.15seconds.com/issue/020130.htm
>
> See 5.2 ...
>
> --
> Tom Kaminski IIS MVP
> http://www.microsoft.com/windowsser...ty/centers/iis/
> http://mvp.support.microsoft.com/
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running
> IIS
>
|
|
|
|
|