Double Hop issue? HELP!
From: Anthony (antgoodlife_at_nospam.comcast.net)
Date: Wed, 18 Aug 2004 21:06:55 -0400
sorry for the x-post, I didn't recieve a response and thought I might have
been in the wrong group... thanks..
--- I am trying to get a users DN by translating the LOGON_USER NT4 format variable. I am ONLY using windows authentication for security settings: This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped down.. feel free to paste the code for your own testing.. it works: ----------------- begin paste-- ----------- <% ' logon_user will be in DOMAIN\LANID format (NT4 Format) logonuser = Request.ServerVariables("LOGON_USER") 'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM sUserDN = getdn(logonuser) response.write sUserDN ' and getdn function looks like the following public function getDN(NT4Name) ' NT4Name DOMAIN\LANID format (NT4 Format) ' Function returns DN from NT4 Name ' Gets the users DN from the DOMAIN/NT Name sDC = "DC01" const ADS_NAME_INITTYPE_DOMAIN = 1 const ADS_NAME_INITTYPE_SERVER = 2 const ADS_NAME_INITTYPE_GC = 3 const ADS_NAME_TYPE_1779 = 1 const ADS_NAME_TYPE_NT4 = 3 Set nto = CreateObject("NameTranslate") 'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd nto.Init ADS_NAME_INITTYPE_SERVER, sDC nto.Set ADS_NAME_TYPE_NT4, NT4Name sUserDN = nto.Get(ADS_NAME_TYPE_1779) getDN = sUserDN end function %> -------------- end paste ----- The error I am getting is the following.. : error '80090332' The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). ----------- If I am on a Windows 2000 Domain member or higher this works fine.. (I understand it works when Kerberos Authentication is ok) I have trusted the IIS server for kerberos authentication so it's working fine provided Kerberos Authentication is good... The problem is IF the authentication drops down to NTLM (When using NT4 or a non-domain member client (VPN'ed in ..etc..)) this is really when it dumps the above error.. anyway around this?? So, Is there anyway to get a userDN another way? I know my problem is the local IUSR_Machinename account doesn't have access to the LDAP directory... so I was hoping to pass credentials through to the DC. Are there other ways to accomplish this task? Once the DN is known I need to check their group memberships to determine if they have access to a particular function within an .asp so I'd have to connect to the ldap provider multiple times.. not just this once.. Lastly, if there is no way to allow for this to work with the above code snip.. can I at least trap that error to display "Kerberos not working" instead of that ugly mess for users? I can't seem to trap that error... Any help would be much appreciated.. Thank you