Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 216
  • Last Modified:

Help on IIS Authentication using ASP

I am currently developing a software that are using microsoft 2000 exchange server. I would like to ask how to use http form to do the basic authentication using ASP and VBScript instead of the dialog pop-up prompt of NT Authentication.

It is not a good suggestion to set the security of the NT authentication to anonymous login and handle the security ourselves due to the software requirements. Also NT Challenge Response is not possible too.

Is it possible to do it with ADSI and LDAP? But how to do it? It is a great appreciation if can offer some examples.
0
h9925631
Asked:
h9925631
1 Solution
 
Michel SakrCommented:
you can't for the simple reason that you won't be able to fetch the password.. and both ways you'll need NT authentication.. using adsi you can get users info from the directory mainly..


<%
sLogonUser = Request.ServerVariables("Logon_User")
sDomain = Mid(sLogonUser, 1, Instr(1, sLogonUser, "\") - 1)
sLogonName = Mid(sLogonUser, Instr(1, sLogonUser, "\") + 1)

Response.Write GetUserFullName(sDomain, sLogonName)

Function GetUserFullName(sDomainName, sLogonName)
   On Error Resume Next
   
   Set oUser = GetObject("WinNT://" & sDomainName & "/" & sLogonName & ",user")
   GetUserFullName = oUser.FullName
   Set oUser = Nothing
   
   If Err <> 0 Then
       GetUserFullName = "User not found"
   End If
End Function
%>

-----------------------------------------------------------

' get a reference to that user (it's of data type IADSUser)
Set oUser = GetObject("WinNT://" & sDomainName & "/" & sLogonName & ",user")

' now, you can access its properties:
GetUserFullName = oUser.FullName

' listing the groups the user is in:
For Each oGroup in oUser.Groups
   Response.Write oGroup.Name & "<br>"
Next

-----------------------------------------------------------

Creating a user:

' Set up property values for the new user
sUsername =    "adsitester"
sFullName =    "ADSI Test Account"
sDescription = "A user account for testing ADSI"
sPassword =    "passworD2"

Set myComputer = GetObject("WinNT://servername")

' Create the new user account
Set newUser = myComputer.Create("user", sUsername)

' Set properties in the new user account
newUser.SetPassword sPassword
newUser.FullName = sFullName
newUser.Description = sDescription

newUser.SetInfo

-----------------------------------------------------------

Changing the password:

strMachine = "servername"
strUID = "username"
strPWDOld = "oldpwd"
strPWDNew = "newpwd"

Set objUser = GetObject("WinNT://" & strMachine & "/" & strUID & ",user")
objUser.ChangePassword(strPWDOld, strPWDNew)

-----------------------------------------------------------

The ADSI Scripting Reference is here: http://msdn.microsoft.com/library/default.asp?URL=/library/psdk/adsi/adsiscript_9lf0.htm


so I didn't understand quietly.. how do you want the authentication? it's either nt or database driven.. nothing more..
0
 
h9925631Author Commented:
If this is the case, then is there any method that can perform the function same as the dialog pop-up prompt by http form?
0
 
ussu36Commented:
You can use integrated windows authentication  setting in IIS ... the users logged on the domain wont have to give password or username ot get through.
Want details if interedted ?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
h9925631Author Commented:
Thanks for your comment. Would you mind to tell me more about it? Is there any restriction about this, for example, browser limitation? Moreover, could it support multiply domain?
0
 
Michel SakrCommented:

>Moreover, could it support multiply domain?

yes fi trust relation is enabled between them

>browser limitation?

only Internet explorer will work

in IIS site propreties, directory security.. in anonymous access click edit.. disable anonymous login and tick on integrated authentication at the bottom...


ussu36 , don't lock the question by posting as answer.. post as comments instead..

0
 
h9925631Author Commented:
But does the integrated windows authentication work in internet?
0
 
Michel SakrCommented:
no.. only on intranet.. over the internet you only can use a database driven authentication or nt challenge response :


How do I get the login name / username from the person visiting my page?

If you have disabled Anonymous access, then you should be able to retrieve the value from:
 
<%
    Response.Write Request.ServerVariables("logon_user")
%>
 
 
Note that IE is required to support Challenge/Response (IIS 4.0) or Integrated Windows Security (IIS 5.0).
 
If you can't disable Anonymous access, and/or need to support Netscape, then there is a possible alternative, provided you're not using DHCP. If your users have static IP addresses, you could store their usernames in a table and do a lookup against their IP:
 
<%
    Response.Write Request.ServerVariables("remote_addr")
%>
 
 
If you can't enforce either of those things, then you may have to resort to forcing your users to log in (even only once, then storing a cookie). I suppose this depends on balancing the importance of knowing who is on the site versus every user having to log in.


or:

How do I control access to an area?

Creating a login for a section of your web site is fairly easy. First, create a login form (loginForm.asp):
 
<form action=loginHandler.asp method=post>
        Username: <input type=text name='username'><BR>
        Password: <input type=password name='password'><BR>
        <input type=submit Value='Log In'><BR>
</form>
 
 
Next, create a login handler (loginHandler.asp):
 
<%
    '---------------------------------------------------------
    '-- check to see that the form was completely filled out--
    '---------------------------------------------------------
    if request.form("username")="" or request.form("password")="" then
        response.redirect("loginForm.asp")
    end if
 
    '---------------------------------------------------------
    '-- open your database connection and check for a record--
    '---------------------------------------------------------
    set conn = server.createObject("ADODB.Connection")
    conn.open "<insert connection string here>"
    u = lcase(request.form("username"))
    p = lcase(request.form("password"))
    sql = "select lin = count(username) from logintable where lower("
    sql = sql & "username)='" & u & "' and lower(password)='" & p & "'"
    set rs = conn.execute(sql)
     
    '--------------------------------------------------------
    '-- Decide whether to let them in --
    '--------------------------------------------------------
    if rs("lin")<>1 then  
        'access Denied
        response.redirect ("loginForm.asp")
    end if
    session("login")=true
    response.redirect ("hiThere.asp")
%>
 
 
Finally, at the top of each page, you test the session variable that you assigned in the script above:
 
<%
    if not session("login") then
        response.redirect("loginForm.asp")
    end if
%>


0
 
mparterCommented:
Try having a look at my post here, I think this will solve your problem:

http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_20121949.html
0
 
hongjunCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
[points to Silvers5]

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

hongjun
EE Cleanup Volunteer
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now