Re: Remote user authentication question
From: A.Klimkin (aklimkin)
Date: Thu, 28 Jul 2005 11:49:45 +0400
Thanks for pointig me a direction!
But this code isn't working for me. Darn.
5.1 Display All Users in a Group
Set Group = GetObject("WinNT://" & strDomain & "/" & strGroup &
For Each User in Group.Members
End SubWorks great, but this isn't what I want. Let's see.
'PullAllUserFromGroup ".","Administrators"' returns me 'Administrator',
'Domain Admins' - and that's right, but that's all.
What I really want to know, whether remote user belongs to local
Administrators group, being authenticated. In other words, if the remote
user explicitely listed in this group OR if it's an implicit member by group
Future investigations shows many limitations of this approach that make the
hole task close to impossible to achieve. I mean that (as MSDN says)
IADsGroup.IsMember method determines if a directory service object is an
immediate member of the group, so this method does not verify membership in
any nested groups. And another thing, the IADsGroup.IsMember method does not
support using a SID ADsPath for verification if a member belongs to a group
through the WinNT provider.
I tried sligtly different method with the same code:
'PullAllUserFromGroup "MyDomain","Domain Admins"'
But I always got '80070035' error here while calling Set Group =
GetObject("WinNT://" & strDomain & "/" & strGroup & ",group")
I don't know what does this error mean exactly, but suppose that WinNT://
provider isn't work properly with AD domain.
I tried to use LDAP:// provider (of course, using appropriate moniker string
syntax) with nearly same result, but different error code '80005000'
E_ADS_BAD_PATHNAME, but I 100% sure that the AD path specified is VERY good.
Because when I call the same code through WSH it works great. In this case I
suppose there are some security (or other) limitations of calling this code
from withih IIS server context vs. interactively logged on domain user
If anyone has any suggestions, you're still welcome ;-)
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> "A.Klimkin" <aklimkin at mail dot ru> wrote in message
>> Hello, NG
>> I'm a beginner web developer, so please be patient on answering my
>> question :-)
>> I've IIS6 web server and some plain ASP web application. IIS server and
>> all my clients all running within same AD domain. All cients running
>> I want to generate different html output for remote users depending on
>> what particular security group they belong to. I disabled anonymous
>> access to my asp files and allowed NTLM client authentication.
>> Now I've got remote user name via Request.ServerVariable("REMOTE_USER").
>> And the question is how can I find (within my plain ASP code) if this
>> user belongs to some local (or domain) security group ('Administrators',
>> for example)?
>> Thanks anyone for the input.
> Check this out:
> See 5.2 ...
> Tom Kaminski IIS MVP
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running