Automate NT Authentication with IIS and ASP using LDAP or ADSI

I am developing an intranet for a client. They want to restrict the users access to files in sub-directories of the intranet. There will be three Active Directory groups
available.

Manager
Physician
Standard

Each user will be a member of one of those groups. There will be sub-directories within the intranet folder named: 'Manager, Physician, and Standard'. Each one allows users assigned to the respective groups.

Here is a standard example of what will occur on a daily basis:

1) User wakes up in the morning, drinks coffee, gets ready, goes to work.
2) Once at work, they boot up their computer.
3) They log on to their domain using the standard Windows log on.
4) They open IE and it directs them to the intranet site.

Now, at that point I want to retrieve the users credentials. That way I can say, in code, if they are a member of the 'Managers' group, then show this relevant data. If not, restrict the data.

I have read that perhaps ADSI can do this, but can't find any specific examples.

How can I retrieve, and check whether a user is a member of a specific group. Futhermore, how can I allow access to files in those subdirectories solely based on their windows logon. Keep in mind, I do not want to do a second prompt for username and password. In other words, I don't want to turn off anonymous access and turn on basic authentication.

Thanks for the help,
Neil Brewer
LVL 11
L00MAsked:
Who is Participating?
 
SpideyModConnect With a Mentor Commented:
PAQ'd and all 100 points refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
L00MAuthor Commented:
I have refined my search to using solely LDAP. It seems I will still have to require the user to log in a second time once they hit the web page. Then, the username and password will be passed to the web server where the user is authenticated.

So, the solution I am still looking for is:

How can I use the initial Windows log in and pass the username and password to the web server, or some how authenticate based on that initial log in. I do not want to make the user log in a second time.

-Neil
0
 
lavinderCommented:
Hi

1) You get user's logon id through request.servervariables("LOGON_USER"), put that in a variable.

1) Here is the script to check whether user exists in a group or not.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<html>
<head>
</head>
<body>
 <%
  dim username,groupname
  dim user
  dim groups,group,exists
  username=request.form("tuser")
  groupname=request.form("tgroup")
 
  if username<>"" and groupname<>"" then
   set user=getObject("LDAP://CN=" & username & ",OU=ou1,DC=mydomain,DC=com")
   user.getInfo()
   groups=user.get("memberOf")
   exists=false
   for each group in groups
    response.write group & "<br>"
    if instr(1,group,groupname)>0 then exists=true
   next
   if exists then response.write "User exists in the group." else response.write "User does not exist in group."
   set user=nothing
  end if
 %>
 <form action="useringrp.asp" method="post">
  User Name<input type="text" name="tuser">
  in Group<input type="text" name="tgroup"><br>
  <input type="submit" value="User exists in Group ?">
 </form>
</body>
</html>

3) If the user exists in the group, you can redirect him/her to the folder you want and also set some internal flags for successful authentication.

4) In the target folders, give each of them default asp page. In that asp page, check for successful authentication flags, if present access allowed else not.

happy programming!!

0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
L00MAuthor Commented:
Your solution requests the username and password from the user via a web form. That would require a second log in. Also, it would pass the username and password across the intranet in plain text. Any 13 year old could set up a packet sniffer and retrieve the password for any given doctor. Not a good solution. Again, I don't want them to have to log in a second time. Some how I need to authenticate based on their initial Windows log in.
0
 
L00MAuthor Commented:
Your solution requests the username and password from the user via a web form. That would require a second log in. Also, it would pass the username and password across the intranet in plain text. Any 13 year old could set up a packet sniffer and retrieve the password for any given doctor. Not a good solution. Again, I don't want them to have to log in a second time. Some how I need to authenticate based on their initial Windows log in.
0
 
lavinderCommented:
I posted this code, not to be used as it is directly, you can just extract the required portion of code, which checks whether user exists in group or not, convert it into a procedure and use it.
0
 
L00MAuthor Commented:
I understand your code snippet completely. However, I don't think you are grasping my question. In your code, you have:

 username=request.form("tuser")
 groupname=request.form("tgroup")

I DON'T want to use a web based form. I need a way to authenticate based on their initial log in to Windows. I'm talking about the login which comes when you boot up your computer, before IE is ever opened. There is nothing in your code which demonstrates how to do that. After further studying, I don't believe there is a way to accomplish this. So, unless someone posts a solution soon, I have decided to require a second login on the 1st of every month, and store their login information encrypted in a cookie. The cookie will expire on the 1st of every month, thus requiring them to log in again. Then, every time they start IE, I'll retrieve the cookie, decrypt their username and password, authenticate behind the scenes, and POOF, VOILA!

So, my next question, how do I close this question without awarding the points. Or must I award the points?

Thank you for your ideas,
Neil Brewer

0
 
lavinderCommented:
you do not need to award points. put a 0 point question of asp moderator to delete this question.
0
 
lavinderCommented:
you do not need to award points. put a 0 point question in community support section for asp moderator to delete this question.
0
All Courses

From novice to tech pro — start learning today.