473,320 Members | 2,111 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Double Hop Issue? Tough problem...(For me)

I am trying to get a users DN by translating the LOGON_USER NT4 format
variable. I am ONLY using windows authentication for security settings:
This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
down.. feel free to paste the code for your own testing.. it works:

----------------- begin paste-- -----------
<%
' logon_user will be in DOMAIN\LANID format (NT4 Format)
logonuser = Request.ServerVariables("LOGON_USER")

'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM
sUserDN = getdn(logonuser)
response.write sUserDN

' and getdn function looks like the following

public function getDN(NT4Name)
' NT4Name DOMAIN\LANID format (NT4 Format)
' Function returns DN from NT4 Name

' Gets the users DN from the DOMAIN/NT Name

sDC = "DC01"

const ADS_NAME_INITTYPE_DOMAIN = 1
const ADS_NAME_INITTYPE_SERVER = 2
const ADS_NAME_INITTYPE_GC = 3

const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_NT4 = 3

Set nto = CreateObject("NameTranslate")
'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
nto.Init ADS_NAME_INITTYPE_SERVER, sDC
nto.Set ADS_NAME_TYPE_NT4, NT4Name
sUserDN = nto.Get(ADS_NAME_TYPE_1779)

getDN = sUserDN
end function
%>

-------------- end paste -----

The error I am getting is the following.. :

error '80090332'
The security context could not be established due to a failure in the
requested quality of service (e.g. mutual authentication or delegation).

-----------

If I am on a Windows 2000 Domain member or higher this works fine.. (I
understand it works when Kerberos Authentication is ok) I have trusted the
IIS server for kerberos authentication so it's working fine provided
Kerberos Authentication is good...

The problem is IF the authentication drops down to NTLM (When using NT4 or a
non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
the above error.. anyway around this??

So, Is there anyway to get a userDN another way? I know my problem is the
local IUSR_Machinename account doesn't have access to the LDAP directory...
so I was hoping to pass credentials through to the DC.

Are there other ways to accomplish this task? Once the DN is known I need
to check their group memberships to determine if they have access to a
particular function within an .asp so I'd have to connect to the ldap
provider multiple times.. not just this once..

Lastly, if there is no way to allow for this to work with the above code
snip.. can I at least trap that error to display "Kerberos not working"
instead of that ugly mess for users? I can't seem to trap that error...

Any help would be much appreciated.. Thank you


Jul 19 '05 #1
2 3573
Is there another group I should post this in?

thanks..

"Anthony" <an*********@nospam.comcast.net> wrote in message news:<ef**************@TK2MSFTNGP09.phx.gbl>...
I am trying to get a users DN by translating the LOGON_USER NT4 format
variable. I am ONLY using windows authentication for security settings:
This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
down.. feel free to paste the code for your own testing.. it works:

----------------- begin paste-- -----------
<%
' logon_user will be in DOMAIN\LANID format (NT4 Format)
logonuser = Request.ServerVariables("LOGON_USER")

'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM
sUserDN = getdn(logonuser)
response.write sUserDN

' and getdn function looks like the following

public function getDN(NT4Name)
' NT4Name DOMAIN\LANID format (NT4 Format)
' Function returns DN from NT4 Name

' Gets the users DN from the DOMAIN/NT Name

sDC = "DC01"

const ADS_NAME_INITTYPE_DOMAIN = 1
const ADS_NAME_INITTYPE_SERVER = 2
const ADS_NAME_INITTYPE_GC = 3

const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_NT4 = 3

Set nto = CreateObject("NameTranslate")
'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
nto.Init ADS_NAME_INITTYPE_SERVER, sDC
nto.Set ADS_NAME_TYPE_NT4, NT4Name
sUserDN = nto.Get(ADS_NAME_TYPE_1779)

getDN = sUserDN
end function
%>

-------------- end paste -----

The error I am getting is the following.. :

error '80090332'
The security context could not be established due to a failure in the
requested quality of service (e.g. mutual authentication or delegation).

-----------

If I am on a Windows 2000 Domain member or higher this works fine.. (I
understand it works when Kerberos Authentication is ok) I have trusted the
IIS server for kerberos authentication so it's working fine provided
Kerberos Authentication is good...

The problem is IF the authentication drops down to NTLM (When using NT4 or a
non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
the above error.. anyway around this??

So, Is there anyway to get a userDN another way? I know my problem is the
local IUSR_Machinename account doesn't have access to the LDAP directory...
so I was hoping to pass credentials through to the DC.

Are there other ways to accomplish this task? Once the DN is known I need
to check their group memberships to determine if they have access to a
particular function within an .asp so I'd have to connect to the ldap
provider multiple times.. not just this once..

Lastly, if there is no way to allow for this to work with the above code
snip.. can I at least trap that error to display "Kerberos not working"
instead of that ugly mess for users? I can't seem to trap that error...

Any help would be much appreciated.. Thank you

Jul 19 '05 #2
Hi Anthony,
did you get your problem solved ? I am having the same problem. Thanks.

************************************************** ********************
Sent via Fuzzy Software @ http://www.fuzzysoftware.com/
Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...
Jul 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

27
by: Sev | last post by:
I think (a bit clueless I'm afraid) I'm using a form script in the template of this site: www.flywessex.blogspot.com What I would ideally like to do is get rid of the 'Go!' buttons from the...
5
by: towers | last post by:
Hello, I've got a bit of experience in C++, but I'm writing my first app that is dependent on relatively precise math functions. The app requires that I get a time stamp based on s sample...
1
by: larry | last post by:
Hi there The table in question now has around 25000 records (simple -only 3 columns) Records are added with a simple insert statement : INSERT INTO SS_REQUEST_SERVICES ( REQUEST_ID,...
3
by: gmtonyhoyt | last post by:
Okay, this one's a tough one for me to explain so this might take a few e-mails to get the idea across. Here's what I got though. I have this application running on a Sun/Solaris machine,...
1
by: Jay Hamilton | last post by:
Hello, I am running into an invalid address alignment error on an HPUX box when I attempt to lookup a value in a STL map. The argument being passed in is a double, which is accessed from a...
21
by: Aman JIANG | last post by:
hi I need to do this (convert double to string) fast, safe and portable. Is there any way to do this ? Except the ways following: 1. C++ I/O stream, stringstream (and boost::lexical_cast) 2....
2
by: Markus Dehmann | last post by:
I have two integers i1 and i2, the second of which is guaranteed to be between 0 and 99, and I encode them into one double: double encoded = (double)i1 + (double)i2 / (double)100; So, for...
22
by: Bill Reid | last post by:
I just noticed that my "improved" version of sscanf() doesn't assign floating point numbers properly if the variable assigned to is declared as a "float" rather than a "double". (This never...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.