Re: Remote user authentication question

From: A.Klimkin (aklimkin)
Date: 07/28/05

  • Next message: CL: "Help!!!" 
    Date: Thu, 28 Jul 2005 11:49:45 +0400

    Thanks for pointig me a direction!
    But this code isn't working for me. Darn.
    Specifically:

    5.1 Display All Users in a Group

      Sub PullAllUserFromGroup(strDomain,strGroup)
        Dim Group
        Dim User
        Set Group = GetObject("WinNT://" & strDomain & "/" & strGroup &
    ",group")
        For Each User in Group.Members
          Response.Write User.Name
        Next
      End SubWorks great, but this isn't what I want. Let's see.

    'PullAllUserFromGroup ".","Administrators"' returns me 'Administrator',
    'Domain Admins' - and that's right, but that's all.
    What I really want to know, whether remote user belongs to local
    Administrators group, being authenticated. In other words, if the remote
    user explicitely listed in this group OR if it's an implicit member by group
    nesting.

    Future investigations shows many limitations of this approach that make the
    hole task close to impossible to achieve. I mean that (as MSDN says)
    IADsGroup.IsMember method determines if a directory service object is an
    immediate member of the group, so this method does not verify membership in
    any nested groups. And another thing, the IADsGroup.IsMember method does not
    support using a SID ADsPath for verification if a member belongs to a group
    through the WinNT provider.

    I tried sligtly different method with the same code:
    'PullAllUserFromGroup "MyDomain","Domain Admins"'
    But I always got '80070035' error here while calling Set Group =
    GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
    I don't know what does this error mean exactly, but suppose that WinNT://
    provider isn't work properly with AD domain.
    I tried to use LDAP:// provider (of course, using appropriate moniker string
    syntax) with nearly same result, but different error code '80005000'
    E_ADS_BAD_PATHNAME, but I 100% sure that the AD path specified is VERY good.
    Because when I call the same code through WSH it works great. In this case I
    suppose there are some security (or other) limitations of calling this code
    from withih IIS server context vs. interactively logged on domain user
    context.

    If anyone has any suggestions, you're still welcome ;-)

    Regards,
    Andrew

    "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    news:uPXOH$rkFHA.3436@tk2msftngp13.phx.gbl...
    > "A.Klimkin" <aklimkin at mail dot ru> wrote in message
    > news:eZzhOBpkFHA.2484@TK2MSFTNGP15.phx.gbl...
    >> Hello, NG
    >>
    >> I'm a beginner web developer, so please be patient on answering my
    >> question :-)
    >> I've IIS6 web server and some plain ASP web application. IIS server and
    >> all my clients all running within same AD domain. All cients running
    >> IE6SP1.
    >> I want to generate different html output for remote users depending on
    >> what particular security group they belong to. I disabled anonymous
    >> access to my asp files and allowed NTLM client authentication.
    >> Now I've got remote user name via Request.ServerVariable("REMOTE_USER").
    >> And the question is how can I find (within my plain ASP code) if this
    >> user belongs to some local (or domain) security group ('Administrators',
    >> for example)?
    >>
    >> Thanks anyone for the input.
    >
    > Check this out:
    > http://www.15seconds.com/issue/020130.htm
    >
    > See 5.2 ...
    >
    > --
    > Tom Kaminski IIS MVP
    > http://www.microsoft.com/windowsserver2003/community/centers/iis/
    > http://mvp.support.microsoft.com/
    > http://www.iistoolshed.com/ - tools, scripts, and utilities for running
    > IIS
    >

  • Next message: CL: "Help!!!"