I need to be able to determine if the user is a member of a given AD group.
I have a method of doing this, but it is not suitable for 64bit OS's, so I
need to find an alternative route. I actually think an alternative route
might actually be a better route.
I'm not an ADSI expert (frankly, I find it confusing) and I don't want to
learn any more - I just want to be able to do this one thing.
How do you guys go about achieving this?
I found one method that worked on my development machine but not on the
server:
Dim COURTHOUSE, WshNetwork, existingDrives, ADSysInfo, CurrentUser,
UserName, ComputerName
Dim strGroups, oGroup,x
Set WshNetwork = CreateObject("W Script.Network" )
Set existingDrives = WshNetwork.Enum NetworkDrives
Set ADSysInfo = CreateObject("A DSystemInfo")
Response.Write ADSysInfo.UserN ame & "<BR><BR>"
Set CurrentUser = GetObject("LDAP ://" & ADSysInfo.UserN ame) <<== error
on server
UserName = LCase(wshNetwor k.UserName)
ComputerName = LCase(WshNetwor k.ComputerName)
Response.Write UserName & " " & ComputerName
Select Case VarType(Current User.MemberOf)
Case 8
strGroups = LCase(CurrentUs er.MemberOf)
Case 8204
strGroups = LCase(Join(Curr entUser.MemberO f))
End Select
Response.Write strGroups
Ok, it's not polished code, but it works locally. However it produces a
'80072020' on the stated line. It seems to be a permissions issue of some
sort, but I can't find a solution.
Any ideas?
Thanks in advance.
Chris 11 15214
Hello Chris,
Your code looks flawless. I also double it is a security issue. To query AD
information, we need use at least a domain user's permission. I suggest you
may first check what is the account your ASP application is running with.
If you are working with IIS 6, the account should be specified at the
application pool's identity; If it is IIS 5, you need to the identiy of IIS
application in Components Services manager.
BTW, to confirm if this is a security issue, you may logon on the target
server with a domain user account, and create a VBS file with following
code:
Set WshNetwork = CreateObject("W Script.Network" )
Set ADSysInfo = CreateObject("A DSystemInfo")
msgbox ADSysInfo.UserN ame
Set CurrentUser = GetObject("LDAP ://" & ADSysInfo.UserN ame)
UserName = LCase(wshNetwor k.UserName)
ComputerName = LCase(WshNetwor k.ComputerName)
msgbox UserName & " " & ComputerName
Select Case VarType(Current User.MemberOf)
Case 8
strGroups = LCase(CurrentUs er.MemberOf)
Case 8204
strGroups = LCase(Join(Curr entUser.MemberO f))
End Select
msgbox strGroups
If above code can execute successfully, we can make sure it is an ASP
security issue.
Regards,
Luke Zhang
Microsoft Online Community Support
=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
"Luke Zhang [MSFT]" <lu******@onlin e.microsoft.com > wrote in message
news:fn******** ******@TK2MSFTN GXA01.phx.gbl.. . Set CurrentUser = GetObject("LDAP ://" & ADSysInfo.UserN ame)
[snip] If above code can execute successfully, we can make sure it is an ASP security issue.
Luke,
If I call the script when logged in to the server, it runs fine. If I call
the page from another workstation, it fails at the line above.
In both cases, the application pool use the Network Service as it's
identity. I created another application pool and gave it the same identity
as I use for SQL Server (basically a standard domain user), and I added my
app to this pool. When I try the test page, I get an almost-blank 'Service
Unavailable' page.
I tried setting the Identity to my user account (I'm a domain admin), but
even this didnt work - it still says Service Unavailable.
Any ideas?
Thanks
Chris
Is your user account (domain admin) also a loca admin on the server? And,
is the application pool is started when you got the error "Service
Unavailable."?
Thanks,
Luke Zhang
Microsoft Online Community Support
=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
[Follow-ups set to m.p.i.iis]
Luke,
The latest situation is this:
I've created a domain user specifically to use as the identity for new
application pool, and I've added it to the IIS_WPG group on the local
machine. This group also has file-level priveleges to the whole application.
So IIS reports that the application pool is working OK, and the Security Log
in the Event Viewer seems to confirm that everything is OK.
When I access the test page from the server, it works fine. When I try to
access it from any other machine, I now get a username/password dialog. And
no matter what I enter into this, it just keeps coming back. If I press
escape, I get a HTTP 401.1 error - "Unauthoriz ed: Access is denied due to
invalid credentials"
For newcomers to this thread, I'm running IIS6 on Win2k3; I'm trying to use
Integrated Authenication to determine the user, and more importantly,
whether they are a member of a particular AD group - see below for original
thread.
Any suggestions?
Thanks
Chris
Original thread:
"I need to be able to determine if the user is a member of a given AD group.
I have a method of doing this, but it is not suitable for 64bit OS's, so I
need to find an alternative route. I actually think an alternative route
might actually be a better route.
I'm not an ADSI expert (frankly, I find it confusing) and I don't want to
learn any more - I just want to be able to do this one thing.
How do you guys go about achieving this?
I found one method that worked on my development machine but not on the
server:
Dim COURTHOUSE, WshNetwork, existingDrives, ADSysInfo, CurrentUser,
UserName, ComputerName
Dim strGroups, oGroup,x
Set WshNetwork = CreateObject("W Script.Network" )
Set existingDrives = WshNetwork.Enum NetworkDrives
Set ADSysInfo = CreateObject("A DSystemInfo")
Response.Write ADSysInfo.UserN ame & "<BR><BR>"
Set CurrentUser = GetObject("LDAP ://" & ADSysInfo.UserN ame) <<== error
on server
UserName = LCase(wshNetwor k.UserName)
ComputerName = LCase(WshNetwor k.ComputerName)
Response.Write UserName & " " & ComputerName
Select Case VarType(Current User.MemberOf)
Case 8
strGroups = LCase(CurrentUs er.MemberOf)
Case 8204
strGroups = LCase(Join(Curr entUser.MemberO f))
End Select
Response.Write strGroups
Ok, it's not polished code, but it works locally. However it produces a
'80072020' on the stated line. It seems to be a permissions issue of some
sort, but I can't find a solution.
Any ideas?
Thanks in advance.
Chris "
Hello Chris,
You may first check the "Directory Security" of the virtual folder in IIS
manager, is only the "integrated windows authentication" checked? Also,
when access it from other computer, are both of the two computers in same
domain?
Luke Zhang
Microsoft Online Community Support
=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Yes, only Windows Authentication is enabled.
Yes, all the computers are on the same Domain
Chris
"Luke Zhang [MSFT]" <lu******@onlin e.microsoft.com > wrote in message
news:LB******** ******@TK2MSFTN GXA01.phx.gbl.. . Hello Chris,
You may first check the "Directory Security" of the virtual folder in IIS manager, is only the "integrated windows authentication" checked? Also, when access it from other computer, are both of the two computers in same domain?
Luke Zhang Microsoft Online Community Support
Hello Chris,
On the client computer, you may open IE, click Tools\internet
options\Advance d\Security, is the option "enable integrated windows
authentioncatio n" checked? Also, does the problem occur with other web
applications on the same server?
Regards,
Luke Zhang
Microsoft Online Community Support
=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
"Luke Zhang [MSFT]" <lu******@onlin e.microsoft.com > wrote in message
news:cy******** ******@TK2MSFTN GXA01.phx.gbl.. . Hello Chris,
On the client computer, you may open IE, click Tools\internet options\Advance d\Security, is the option "enable integrated windows authentioncatio n" checked? Also, does the problem occur with other web applications on the same server?
Luke,
Yes, all instance of IE have IWA enabled.
The problem is one of design. I have a number of instances where I would
like to use this technique, if only I could get it working. The problem is
consistent across all servers. It's not a fault with one - it's a design
fault with this technique. However, I still don't know where that fault
lies.
All I want to do is to be able to use IWA to detect which user is running
the app, and to then query AD to determine which user groups the user is in,
so I can convey them suitable rights to the application.
So far I have created an application pool with a Domain User as an Identity,
and I have enable IWA for this application.
The code I was hoping to use (that you have already verified) works if you
call if from the server (ie you log in to the server to access the
application), but gives a 401.1 error if you access it from any other
workstation.
If I leave the application in the default application pool, the code works
when you run it from the server, but if you run it from another machine you
get a 80072020 error at this line:
Set CurrentUser = GetObject("LDAP ://" & ADSysInfo.UserN ame)
My objective is clear and should be easily acheivable - I'm not bothered
about which technique I use (if there are more than one).
CJM
Hello,
from the problem description, the web servser didn't get the correct
credential when you access the web page from client side. Is there proxy or
firewall between the two computers? Also, you may perform such a test, on
the virtual folder properties, only enable Basic authentication (leave
anonymous and IWA unchecked), and then reset the IIS , test on another
computer. When you access the page, it will pop up a dialog for your
windows account, input the account include domain name here. Can this make
it work? If this worked, we can ensure that the problem should be with your
IIS (maybe IWA), we may perform further trouble shooting on that.
Regards,
Luke Zhang
Microsoft Online Community Support
=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====
(This posting is provided "AS IS", with no warranties, and confers no
rights.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Google Mike |
last post by:
You know, while working on my moonlight corporation's LAMP project at
home this weekend, I couldn't help but wonder if people writing similar
projects are solving similar problems with having to complete the
project by building an installer and building the user/group
administration piece of it.
The thought came to me that it would be great if LAMP developers,
whether they used MySQL or PostgreSQL, could just simply write the
project to...
|
by: info |
last post by:
This is to announce the inaugural meeting of the Philadelphia XML Users
Group.
If you're in the Philadelphia area, and you have an interest in XML and
related standards in publishing, you're invited to join us. Our initial
meeting will be hosted by Elsevier, in the Curtis Center on
Independence Mall in Philadelphia. A map and directions can be found at
our website: http://www.xmlphilly.org/calendar.htm
"The Value of an XML User Group"
|
by: Brian Loesgen |
last post by:
The next San Diego .Net User Group meeting is Tuesday, November 25,
2003 at the Scripps Ranch Library.
Scripps Ranch Library
10301 Scripps Lake Drive
San Diego, CA 92131-1026
Please join us at 6:00 pm for pizza and networking. The meeting starts
at 6:30 pm.
|
by: Lester Knutsen |
last post by:
Washington Area IBM Informix/DB2 User Group meeting - June 7, 2005
--------------------------------------------------------------
Mark the date, our next user group meeting will be another combined
one with DB2 and Informix presentations..
Date: Tuseday, June 7, 2004
Time: 9:00-5:00
Location:
IBM Fair Lakes Office
|
by: ad |
last post by:
I want to List user group in MyPc (the name of my computer)
I use the codes below, but it fail in run time at line 2,
How can I correct it?
DirectoryEntry group = new DirectoryEntry("WinNT://WORKGROUP/MyPC");
object members = group.Invoke("Members",null);
foreach( object member in (IEnumerable) members)
| |
by: Sabin Finateanu |
last post by:
Hi! Can anyone tell me how can I get the user group for the current windows
user? Please help me!
Sabin Finateanu
|
by: tlyczko |
last post by:
I am developing an Access database that will be used by some users
logging into Citrix servers.
Using the "Code 1" listing, 'fGetFullNameOfLoggedUser' from Dev
Ashish's site, which I found in this thread:
http://groups.google.com/group/comp.databases.ms-access/browse_thread/thread/9ba1a9bc7ebc270e/36aeea7d08d31849#36aeea7d08d31849
subject: Question about 'fGetFullNameOfLoggedUser'
I implemented this as the control source of a simple...
|
by: TC |
last post by:
In the past I always regarded user/group security as fairly tight. It
is tricky to implement, but once implemented properly, it can't be
cracked except through a dedicated effort.
Recently, however, I saw something which greatly lowered my opinion of
user/group security. I sent a secured database to a colleague. I forgot
to send him the workgroup file, but that didn't slow him down at all.
The next day, he sent me the work I had...
|
by: Lester Knutsen |
last post by:
A two-day IBM Informix and DB2 User Group Technical Conference - Friday and Saturday, December 8-9, 2006
We are very please to announce our Keynote Speakers
---------------------------------------------------
* Friday, December 8, 2006 – Ambuj Goyal, General Manager of IBM Information Management
* Saturday, December 9,2006 - Arvid Krishna, Vice President of Database Servers, IBM Information Management
These are the top two executives...
|
by: unkn0wn |
last post by:
Hi all,
I'm writing installer and was wondering how do I programmatically determine iis user group. on windows 2000 server it's IIS_WPG and on windows 2008 it's IIS_IUSRS. How can I get that information from the environment using C#?
Thanks
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
| |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |