Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Automate NT Authentication with IIS and ASP using LDAP or ADSI

Posted on 2003-02-26
9
Medium Priority
?
269 Views
Last Modified: 2012-05-04
I am developing an intranet for a client. They want to restrict the users access to files in sub-directories of the intranet. There will be three Active Directory groups
available.

Manager
Physician
Standard

Each user will be a member of one of those groups. There will be sub-directories within the intranet folder named: 'Manager, Physician, and Standard'. Each one allows users assigned to the respective groups.

Here is a standard example of what will occur on a daily basis:

1) User wakes up in the morning, drinks coffee, gets ready, goes to work.
2) Once at work, they boot up their computer.
3) They log on to their domain using the standard Windows log on.
4) They open IE and it directs them to the intranet site.

Now, at that point I want to retrieve the users credentials. That way I can say, in code, if they are a member of the 'Managers' group, then show this relevant data. If not, restrict the data.

I have read that perhaps ADSI can do this, but can't find any specific examples.

How can I retrieve, and check whether a user is a member of a specific group. Futhermore, how can I allow access to files in those subdirectories solely based on their windows logon. Keep in mind, I do not want to do a second prompt for username and password. In other words, I don't want to turn off anonymous access and turn on basic authentication.

Thanks for the help,
Neil Brewer
0
Comment
Question by:L00M
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 11

Author Comment

by:L00M
ID: 8028659
I have refined my search to using solely LDAP. It seems I will still have to require the user to log in a second time once they hit the web page. Then, the username and password will be passed to the web server where the user is authenticated.

So, the solution I am still looking for is:

How can I use the initial Windows log in and pass the username and password to the web server, or some how authenticate based on that initial log in. I do not want to make the user log in a second time.

-Neil
0
 
LVL 7

Expert Comment

by:lavinder
ID: 8031734
Hi

1) You get user's logon id through request.servervariables("LOGON_USER"), put that in a variable.

1) Here is the script to check whether user exists in a group or not.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<html>
<head>
</head>
<body>
 <%
  dim username,groupname
  dim user
  dim groups,group,exists
  username=request.form("tuser")
  groupname=request.form("tgroup")
 
  if username<>"" and groupname<>"" then
   set user=getObject("LDAP://CN=" & username & ",OU=ou1,DC=mydomain,DC=com")
   user.getInfo()
   groups=user.get("memberOf")
   exists=false
   for each group in groups
    response.write group & "<br>"
    if instr(1,group,groupname)>0 then exists=true
   next
   if exists then response.write "User exists in the group." else response.write "User does not exist in group."
   set user=nothing
  end if
 %>
 <form action="useringrp.asp" method="post">
  User Name<input type="text" name="tuser">
  in Group<input type="text" name="tgroup"><br>
  <input type="submit" value="User exists in Group ?">
 </form>
</body>
</html>

3) If the user exists in the group, you can redirect him/her to the folder you want and also set some internal flags for successful authentication.

4) In the target folders, give each of them default asp page. In that asp page, check for successful authentication flags, if present access allowed else not.

happy programming!!

0
 
LVL 11

Author Comment

by:L00M
ID: 8033400
Your solution requests the username and password from the user via a web form. That would require a second log in. Also, it would pass the username and password across the intranet in plain text. Any 13 year old could set up a packet sniffer and retrieve the password for any given doctor. Not a good solution. Again, I don't want them to have to log in a second time. Some how I need to authenticate based on their initial Windows log in.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 11

Author Comment

by:L00M
ID: 8033445
Your solution requests the username and password from the user via a web form. That would require a second log in. Also, it would pass the username and password across the intranet in plain text. Any 13 year old could set up a packet sniffer and retrieve the password for any given doctor. Not a good solution. Again, I don't want them to have to log in a second time. Some how I need to authenticate based on their initial Windows log in.
0
 
LVL 7

Expert Comment

by:lavinder
ID: 8040142
I posted this code, not to be used as it is directly, you can just extract the required portion of code, which checks whether user exists in group or not, convert it into a procedure and use it.
0
 
LVL 11

Author Comment

by:L00M
ID: 8041571
I understand your code snippet completely. However, I don't think you are grasping my question. In your code, you have:

 username=request.form("tuser")
 groupname=request.form("tgroup")

I DON'T want to use a web based form. I need a way to authenticate based on their initial log in to Windows. I'm talking about the login which comes when you boot up your computer, before IE is ever opened. There is nothing in your code which demonstrates how to do that. After further studying, I don't believe there is a way to accomplish this. So, unless someone posts a solution soon, I have decided to require a second login on the 1st of every month, and store their login information encrypted in a cookie. The cookie will expire on the 1st of every month, thus requiring them to log in again. Then, every time they start IE, I'll retrieve the cookie, decrypt their username and password, authenticate behind the scenes, and POOF, VOILA!

So, my next question, how do I close this question without awarding the points. Or must I award the points?

Thank you for your ideas,
Neil Brewer

0
 
LVL 7

Expert Comment

by:lavinder
ID: 8046383
you do not need to award points. put a 0 point question of asp moderator to delete this question.
0
 
LVL 7

Expert Comment

by:lavinder
ID: 8046386
you do not need to award points. put a 0 point question in community support section for asp moderator to delete this question.
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8527655
PAQ'd and all 100 points refunded.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question