Question

Double-hop authentication with ADSI

Asked by: Jharper

Ok.. This one is driving me crazy! I am trying to solve a problem for our developers. I'm no programmer but I made a basic page to update the description field of a test user in AD. I want to have my credentials to pass through this page to make the AD changes ( I am a domain admin).  

This page works if I make the following changes in IIS:
- I setup myself as the anonymous user and click on the page.
- It also works if I turn on just basic authentication and log in when prompted.
- When I pass my user info through the OpenDSObject() function.

This page does not work when I:
- Just enable Windows Integrated Authentication.
- Set the OpenDSObject() username and password to NULL which is supposed to pass the caller's credenitals. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadsopendsobject_opendsobject.asp

Things I have done:
- I have changed the Metabase to NTAuthenticationProviders="Negotiate,NTLM"
- All this stuff: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx

Any help with this would be much appreciated!

CODE:

<%
strContainer = "cn=Users"
strName = "john smith"

Const ADS_PROPERTY_CLEAR = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4
Const ADS_SECURE_AUTHENTICATION = 1


'***********************************************
'*          Connect to an object                 *
'***********************************************
oUsername=vbNullString
oPassword=vbNullString
Set objRootDSE = GetObject("LDAP://rootDSE")
Set openDS = GetObject("LDAP:")
If strContainer = "" Then
  Set objItem = GetObject("LDAP://" & _
    objRootDSE.Get("defaultNamingContext"))
Else
  Response.Write "LDAP://cn=" & strName & "," & strContainer & "," & objRootDSE.Get("defaultNamingContext") & "<br>"
  Set objItem = openDS.OpenDSObject("LDAP://cn=" & strName & "," & strContainer & "," & objRootDSE.Get("defaultNamingContext"),oUsername,oPassword,ADS_SECURE_AUTHENTICATION)
End If
'***********************************************
'*         End connect to an object           *
'***********************************************

Response.Write "Was: <BR>"
Response.Write objItem.DisplayName & "<BR>"
Response.Write objItem.Description & "<BR>"
Response.Write "<BR>"

objItem.Put "givenName", "John"
objItem.SetInfo
objItem.Put "initials", "JS"
objItem.SetInfo
objItem.Put "sn", "Smith"
objItem.SetInfo
objItem.Put "displayName", "John Smith"
objItem.SetInfo
objItem.Put "description", "Generated by ADTEST1"
objItem.SetInfo
objItem.Put "physicalDeliveryOfficeName", "DALLAS"
objItem.SetInfo
objItem.Put "telephoneNumber", "214-555-1212"
objItem.SetInfo
objItem.Put "mail", "jsmith@xxx.com"
objItem.SetInfo
objItem.Put "wWWHomePage", " "
objItem.SetInfo

Response.Write "Now: <BR>"
Response.Write objItem.DisplayName & "<BR>"
Response.Write objItem.Description & "<BR>"

objItem.PutEx ADS_PROPERTY_UPDATE, "otherTelephone", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo
objItem.PutEx ADS_PROPERTY_UPDATE, "url", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo

objItem.Put "streetAddress", "123 Main Street"
objItem.SetInfo
objItem.Put "l", " "
objItem.SetInfo
objItem.Put "st", "TX"
objItem.SetInfo
objItem.Put "postalCode", "75201"
objItem.SetInfo

'Response.Write VbCrLf & "**Non-standard value on Address Properties Page**"
'See Script Notes for information on setting this value.
'objItem.Put "c", "1"
'objItem.SetInfo

objItem.PutEx ADS_PROPERTY_UPDATE, "postOfficeBox", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo

objItem.Put "profilePath", " "
objItem.SetInfo
objItem.Put "scriptPath", " "
objItem.SetInfo
objItem.Put "homeDirectory", " "
objItem.SetInfo

'See Script Notes for information on setting this value.
objItem.Put "homeDrive", " "
objItem.SetInfo

objItem.Put "homePhone", "214-555-1212"
objItem.SetInfo
objItem.Put "pager", "214-555-1212"
objItem.SetInfo
objItem.Put "mobile", "214-555-1212"
objItem.SetInfo
objItem.Put "facsimileTelephoneNumber", "214-555-1212"
objItem.SetInfo
objItem.Put "ipPhone", "214-555-1212"
objItem.SetInfo
objItem.Put "info", "214-555-1212"
objItem.SetInfo

objItem.PutEx ADS_PROPERTY_UPDATE, "otherHomePhone", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo
objItem.PutEx ADS_PROPERTY_UPDATE, "otherPager", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo
objItem.PutEx ADS_PROPERTY_UPDATE, "otherMobile", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo
objItem.PutEx ADS_PROPERTY_UPDATE, "otherFacsimileTelephoneNumber", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo
objItem.PutEx ADS_PROPERTY_UPDATE, "otherIpPhone", _
  Array("VALUE1", "VALUE2", "...VALUEn")
objItem.SetInfo

objItem.Put "title", "Computer User"
objItem.SetInfo
objItem.Put "department", "IT"
objItem.SetInfo
objItem.Put "company", "XXX"
objItem.SetInfo

'See Script Notes for information on setting this value.
objItem.Put "manager", " "
objItem.SetInfo

objItem.SetInfo
%>

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-06-10 at 06:47:31ID21453783
Topic

Active Server Pages (ASP)

Participating Experts
2
Points
300
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Create View and/or SPROC & ADSI
    I have a simple SQl view that uses a Distributed Query to AD to return a list of my users full names for internal reasons but I was wondering what are the column names for these fields so I can reference them in a script also. ** city, state, zip, home_phone, pager, mobile, f...
  2. How to add a user in Win2k using LDAP, ADSI, ASP
    How to add a user in Win2k using LDAP, ADSI, ASP?
  3. ADSI Userproperties C#
    Hello, trying to access Userproperties in our AD-Environment with C# via ADSI LDAP Provider. Have cut a sample from somewhere that works fine with the first six properties (DisplayName - LastName). Try to add more prop. after LastName. Most of them work on some users (i.e. Te...
  4. Pagers
    We have a network which cannot have connections to the outside world for security reasons. But we need to be alerted to problems with the servers, network or application as soon as possible. What can we use to allow the IT staff to get alerts sent to mobile phone, pager, et...
  5. Use ADSI / LDAP to access terminal services properties
    I am using the following code to access terminal services properties of Active Directory users. The code works great for me, but when I package and deploy it to another workstation. I get an error stating "object doesn't support this property or method". The erro...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: marc_nivensPosted on 2005-06-10 at 23:18:26ID: 14194382

With double hop authentication you have to use Kerberos because NTLM will not work.  To setup IIS to use Kerberos, follow this article:  http://support.microsoft.com/?id=326089.  Once you enable Kerberos for IIS, just set the authentication to integrated windows only and leave OpenDSObject() null.  Before you were authenticating with NTLM and double hop was failing.  Once you're in with Kerberos it shouldn't be a problem.  Oh, and make sure you bind to the FQDN of the server or the authentication package will revert back to NTLM.

 

by: JharperPosted on 2005-06-13 at 08:31:00ID: 14203240

I still get the following error...  If I pass my username and password through OpenDSObject() it works fine.

error '80072020'
/adsi/adtest1.asp, line 24

 

by: ihenryPosted on 2005-06-13 at 09:28:37ID: 14203828

If you explicitly pass the user name and password, ADSI will use that information to bind to your active directory server, that could explains as to why your code worked. And if you pass a null password regardless of user name ADSI will use whatever security context your application is running under.

There are several places to check before kerberos authentication can take place.
(Please read the IIS, IE and active directory section)
http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

Also a couple more things to check:
1. "Account is sensitive and cannot be delegated" option for the user account is unselected
2. "Enable computer and user accounts to be trusted for delegation" in Local Security Policty
(or Domain Security Policty) is not accidentally disabled
3. All computers participating in delegation must have the same time settings. Then Time
Zone and "Automatically adjust clock for daylight saving changes" settings have the same
value on all computers where you are going to use Kerberos delegation.

And if you're using mozilla firefox browser, pelase take a look at this
http://blogs.sun.com/roller/page/wyllys/Weblog/kerberos_web_authentiation_with_apache?catname=

HTH

 

by: JharperPosted on 2005-06-17 at 06:41:42ID: 14240665

Thanks for the info, but after looking the the advice above I'm still having the same problem.

More Info:
I'm using IE and runnin this app from a Windows 2003 server.  Could it be a setting in IIS6 that is blocking this or do I have to configure impersonation?

 

by: ihenryPosted on 2005-06-17 at 09:23:15ID: 14242600

If I still can remember correctly. In (old) ASP, IIS impersonates the authenticated user by default. So if you have configured properly all the necessary setup for Windows authentication I don't think you need to do anything else in your IIS6.

I maybe have a few more suggestions for you but I think it'd be more helpful if you start from this document.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx?pf=true

 

by: JharperPosted on 2005-07-12 at 06:44:25ID: 14421277

I'm still having issues with this. I've read through many docs at this point, but none are clear on this type of setup. Can anyone post a step by step configuration?

 

by: ihenryPosted on 2005-07-13 at 06:53:25ID: 14430955

Jharper,
I'm not sure if I could find any documentation better than I have posted above as this isn't really a programming issue anymore. And unfortunately I'm not a system admin myself, so I guess I can't further help you on this. You might want to post a new question in Win2K3 and IIS TA that links to here and hopefully someone there could give better suggestions.

Good luck!
Henry

 

by: JharperPosted on 2005-08-02 at 13:10:04ID: 14582935

After much investigation, I have concluded that our current environment does not support IIS double-hop authentication. We need to upgrade all of our remaining DCs to Windows 2003 and update to Windows 2003 Functional Level AD. I've just done this and I'll try to get this working again.

Reference 1:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
"Constrained delegation is restricted to services in a single domain. All domain controllers in the domain must be running Windows Server 2003, and the domain must be operating at the Windows Server 2003 functional level."


Reference 2:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
Table 1 Pass-through authentication configuration requirements

Authentication method Additional configuration for pass-through authentication
Basic with SSL
None

Kerberos via Integrated Windows authentication
Constrained delegation <--This is what we are attempting and it requires Windows 2003 Functional Level AD (See Reference 1).

NTLM via Integrated Windows authentication
Constrained delegation and protocol transitioning

Digest
Constrained delegation and protocol transitioning

Client certificate
Constrained delegation and protocol transitioning

 

by: JharperPosted on 2005-08-18 at 12:12:07ID: 14703457

I was able to do doulble-hop authentication to a file server after upgrading to Windows Server 2003 Functional Level.

-IIS is using only Windows Integrated Authentiation and the user under the DefaultAppPool is Network Service.
C:\Documents and Settings\jharper>setspn -l XYZ00001
Registered ServicePrincipalNames for CN=XYZ00001,OU=Production,OU=Servers,OU=Ser
vers and Computers,DC=xyz,DC=com:
HOST/XYZ00001
HOST/xyz00001.123.com
SMTPSVC/XYZ00001
SMTPSVC/xyz00001.123.com

**Load balanced web servers DefaultAppPool run under hbk\iiskerberos require and additional SPN but the computer account should look like the above.
Reference: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx
-IIS is using only Windows Integrated Authentiation and the user under the DefaultAppPool is xyz\iisberberos.
C:\Documents and Settings\jharper>setspn -l xyz\iiskerberos
Registered ServicePrincipalNames for CN=iiskerberos,CN=Users,DC=hbk,DC=com:
http/mylwebcl1.123.com
HTTP/myweb1.123.com
HTTP/myweb6
HTTP/myweb5
HTTP/myweb6.123.com
HTTP/myweb5.123.com
HTTP/mywebcl1

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...