Double Hop issue? HELP!

From: Anthony (
Date: 08/19/04

Date: Wed, 18 Aug 2004 21:06:55 -0400

sorry for the x-post, I didn't recieve a response and thought I might have
been in the wrong group... thanks..

I am trying to get a users DN by translating the LOGON_USER NT4 format
variable.  I am ONLY using windows authentication for security settings:
This is a Windows 2000 IIS 5 Server.  Here is the .asp that I've stripped
down.. feel free to paste the code for your own testing.. it works:
----------------- begin paste-- -----------
' logon_user will be in DOMAIN\LANID format  (NT4 Format)
logonuser = Request.ServerVariables("LOGON_USER")
sUserDN = getdn(logonuser)
response.write sUserDN
' and getdn function looks like the following
public function getDN(NT4Name)
' NT4Name DOMAIN\LANID format  (NT4 Format)
' Function returns DN from NT4 Name
' Gets the users DN from the DOMAIN/NT Name
sDC = "DC01"
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_NT4 = 3
Set nto = CreateObject("NameTranslate")
'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
nto.Set ADS_NAME_TYPE_NT4, NT4Name
sUserDN = nto.Get(ADS_NAME_TYPE_1779)
getDN = sUserDN
end function
-------------- end paste -----
The error I am getting is the following.. :
error '80090332'
The security context could not be established due to a failure in the
requested quality of service (e.g. mutual authentication or delegation).
If I am on a Windows 2000 Domain member or higher this works fine.. (I
understand it works when Kerberos Authentication is ok)  I have trusted the
IIS server for kerberos authentication so it's working fine provided
Kerberos Authentication is good...
The problem is IF the authentication drops down to NTLM (When using NT4 or a
non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
the above error..  anyway around this??
So, Is there anyway to get a userDN another way?  I know my problem is the
local IUSR_Machinename account doesn't have access to the LDAP directory...
so I was hoping to pass credentials through to the DC.
Are there other ways to accomplish this task?  Once the DN is known I need
to check their group memberships to determine if they have access to a
particular function within an .asp so I'd have to connect to the ldap
provider multiple times.. not just this once..
Lastly, if there is no way to allow for this to work with the above code
snip.. can I at least trap that error to display "Kerberos not working"
instead of that ugly mess for users?  I can't seem to trap that error...
Any help would be much appreciated.. Thank you