• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 320
  • Last Modified:

Authenticating a user in Active Directory (AD) from an External Site

Hi,

Currently at work, users are authenticated within the company at http://www.xxxx.com

We just purchased http://www.yyyy.com from a 3rd party host. What I want to do is work towards building an internal company site with all the most frequently used material and sites by everyone on http://www.yyyy.com however, for them to be able to get to the site, they need to be authenticated via the Active Directory from http://www.xxxx.com which is the "MAIN" company website.

I have all the AD LDAP strings but the issue is that I don't know how to do this. Yes, I know the workaround is store everyones usernames and passwords in a database and query against that but because people leave the company and join at rates unimaginable, it will be very hard for us to keep updating the database which is why we just said.."you know what, lets rely on AD"

How do we do this! help out please.
0
piyushdabomb
Asked:
piyushdabomb
  • 7
  • 4
  • 2
  • +1
3 Solutions
 
Malli BoppeCommented:
On the website  you remove annoymous authentication and use intergrated windows authentication.
0
 
k_dietzCommented:
is the new website hosted on the same server? If not, is it on the domain?

What language are you using -- I have the syntax for php and may be able to point ya in the rich direction for .net or others
0
 
piyushdabombAuthor Commented:
Its on 2 different domains and 2 different servers!

I can use PHP, ASP, or ASP.NET...whatever works. Even if I don't have the experience, I'll figure it out.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Malli BoppeCommented:
Do you have 2way trust between those domains.If you have then users in both domains can use both websites.
0
 
piyushdabombAuthor Commented:
I can somehow get the 2way trust. I know that the domain I bought has trust... but the company website 'can' get trust after speaking with a few folks.

How do I get users in both domains using both websites? Where does authentication play a part?
0
 
AmericomCommented:
We have something similar.
I suggest you do the two-way or one-way trust first as suggested above. I users in yyy wants to access xxx website, then xxx domain trust yyy and vice versa. If you want both domain to be able to access both servers then do two-way trust. An external trust usually the fast to establish without too much concern of security. Once the trust is established in both domains, all you need to do is grant permission of your website or virtual directories etc by simply browse the other domain's database. Or if you're using other application to manage permission via LDAP queries, it can be done as well by knowing the Domain name and common name etc. If the web site is open for Authenticated users or everyone, then it already have access to both domain users.
0
 
k_dietzCommented:
Here is code to handle the LDAP authentication through AD.  To my knowledge, the two-way trust will allow you to have users authenticate once for both websites.. this method will have them sign in separately to each website.   Quite honestly, I don't know how to set up the trusts because I've never done it, so this is all I can help with.

This code works for me on IIS 6.0 with AD2003.  
<?php
 
$ldapserver = "192.168.1.1";
$ldap_domainname = "YOURDOMAINNAME";
 
if (isset($_POST['login']) && isset($_POST['password']) )  { 
 
    $username = trim($_POST['login']); 
    $password = trim($_POST['password']); 
 
	/* LDAP Binding Needs DOMAINNAME\.  Authentication does not. */
	$ld_username = $ldap_domainname . "\\" . $username;
	$ld_password = $password;
	
    $ds = ldap_connect($ldapserver); 
 
	ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
	ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
 
    // If Can't connect to LDAP. 
    if( !$ds ) 
    { 
        echo "Error in contacting the LDAP server.";
        exit; 
    }
 
    // Bind to LDAP using credentials supplied.  If no connection, cannot authenticate!
	// NOTE:  Cannot bind anonymously - triggers Operations Error.
	 
    $bind = @ldap_bind($ds, $ld_username, $ld_password); 
     
    // Check to make sure we're bound and authenticated.
    if( !$bind ) 
    { 
        $errormessage =  "Your username and password combination is incorrect. Please try again."; 
    } 
 
	$base_dn = "dc=YOURDOMAINNAME,dc=local";
	$uid = "samaccountname";
	$filter = $uid . "=" . $username;  // check the samaccountname field for matching username.  supposed to be uid but it didn't work for me
 
    $search = ldap_search($ds, $base_dn, $filter);   
  	 
    // Make sure only ONE result was returned
   
    if( ldap_count_entries($ds,$search) != 1 ) 
    { 
        $errormessage = "There was an error processing your logon.  Please try again."; 
    } 
     
    $info = ldap_get_entries($ds, $search); 
     	
    if ($username == $info[0][$uid][0]) { 
 
        $_SESSION['username'] = $username;   // username as listed in AD
        $_SESSION['fullname'] = $info[0][cn][0];  // full name as listed in AD 
 
		header("Location: securedwebpage.php");
        
		exit; 
    } else { 
        $errormessage =  "Your username and password combination is incorrect. Please try again."; 
    } 
	
    ldap_close($ds); 
    
} 
?>
<form action="?" method="post">
	Username: <input type="text" name="login" /><br />
	Password: <input type="password" name="password" /><br />
	<br />
	<input type="submit" value="Login" />
</form> 

Open in new window

0
 
piyushdabombAuthor Commented:
Team,

Will the code work on 2 different servers? All I really need is 1 way trust into my company server. I don't need authentication the other way (and I'm sure I can get that).

Can someone point me in the right direction with this?
0
 
AmericomCommented:
As far as trust, sounded like one-way is what you need and there shouldn't be a problem to create one-way trust.
0
 
piyushdabombAuthor Commented:
Okay guys...so we changed the way we are going to deal with this just because we can't get any TRUSTS whatsoever.

I have a list of IP addresses we can work with and so I'm thinking about placing the IP addresses into a database and query off of that. If the users IP address is NOT found in the list, they can't login.

Anyone know how to determine the IP address of a user?
0
 
Malli BoppeCommented:
I can give a another solution create local users on teh webserver with some random passwords.
On the website folder directory.Add this users and give read permissions or same as domain user permissions.Give the user names and passwords to the other users in the domain.
0
 
piyushdabombAuthor Commented:
mboppe,

I already thought of that. The hassles with building a database with user names and passwords comes during maintenance depending on who leaves the company and who doesn't!
0
 
piyushdabombAuthor Commented:
Check this out:

If you go to http://www.cebdata.com/Solutions_Site/Auth.asp

The first line will tell you if you were authenticated or not.

Let me know if it tells you that you were authenticated. You should NOT be!
0
 
Malli BoppeCommented:
This is what I got
User is not authenticated to login to CEB's domain portal since their IP Address is:211.26.160.254
172.16.10.1 www.cebdata.com 
0
 
piyushdabombAuthor Commented:
Excellent!

Thats all I need to know. I was able to write a little asp to ban users who aren't part of certain IPs to login. Only those in the space of our IP sites can log in.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now