elorc
asked on
Active Directory authentication/group membership check with MSAccess 2007 VBA
I'm unfortunately responsible for maintaining some old interfaces written in VBA through MS Access. Currently I'm migrating these over to a new server and one of the things I want to do is improve the login system for these interfaces by integrating them with Active Directory. It's pretty simple: All I need to do is (a) check to make sure the provided username/password combination are correct, and if so, (b) check to see if the user is in a specific Active Directory group.
Any ideas on how to go about doing this? I had written a library in .NET that these interfaces were using on the old server, but on the new server it's not working properly. If there's some way that I can pretty easily and effectively do it right through VBA, I'd prefer that over having to troubleshoot this library that I wrote.
EDIT: I should add, I've been playing around with ADODB to make the connection. It seems to work and I can look up AD object properties but I'm not sure what the best way is to check the username/password.
Any ideas on how to go about doing this? I had written a library in .NET that these interfaces were using on the old server, but on the new server it's not working properly. If there's some way that I can pretty easily and effectively do it right through VBA, I'd prefer that over having to troubleshoot this library that I wrote.
EDIT: I should add, I've been playing around with ADODB to make the connection. It seems to work and I can look up AD object properties but I'm not sure what the best way is to check the username/password.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the replies. For security and auditing purposes, these interfaces are required to authenticate the user again when they are launched before access can be granted. We are not allowed to assume that the user is authenticated because they are logged into Windows already.
>> We are not allowed to assume that the user is authenticated because they are logged into Windows already. <<
Do you mean authenticated to use your app? or .. Are you not allowed to assume the logged in user is the one in front of the computer?
Do you mean authenticated to use your app? or .. Are you not allowed to assume the logged in user is the one in front of the computer?
ASKER
Whenever they load the interface, it has to prompt them for the password. The assumption is that just because they are logged into Windows does not mean they're the person currently at the keyboard, so the interface must require login credentials every time it's opened.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That seems to work. What a cluser though. :)
I've been working on rewriting these crappy interfaces as actual .NET applications, but it's pretty time consuming so it's taking me a while to get them all done. This will keep the ones I haven't gotten to yet limping along for the time being. Thank you.
I've been working on rewriting these crappy interfaces as actual .NET applications, but it's pretty time consuming so it's taking me a while to get them all done. This will keep the ones I haven't gotten to yet limping along for the time being. Thank you.
Nice find! :D
Can I suguest you use the first part to find the current logged on username and just prompt for the password? Avoid a user running the app in another users windows session? I know i would find that insecure somewhere along the line if your concerns are what they are.
Regards
Can I suguest you use the first part to find the current logged on username and just prompt for the password? Avoid a user running the app in another users windows session? I know i would find that insecure somewhere along the line if your concerns are what they are.
Regards
Yes it is a cluster! ... so I kept digging -- it was really bothering me! .. and this is what I came up with. It works for me on my PC in VBA, but I am an administrator, so I don't know if permissions will be an issue.
By the way, it seems the code I first linked you to was born out of this MS article ...
http://support.microsoft.com/default.aspx?scid=kb;en-us;279815
Public Function ValidateUser(strDomain As String, strUserName As String, strPassword As String) As Boolean
Dim oADobject As Object 'IADsOpenDSObject
Set oADobject = GetObject("WinNT:")
On Error Resume Next
oADobject.OpenDSObject "WinNT://" & strDomain, strUserName, strPassword, &O1 'ADS_SECURE_AUTHENTICATION)
ValidateUser = (Err = 0)
Err.Clear
End Function
By the way, it seems the code I first linked you to was born out of this MS article ...
http://support.microsoft.com/default.aspx?scid=kb;en-us;279815
ASKER
That second code you provided works under normal users as well. When the login credentials are incorrect it looks like it can sometimes take several seconds to return false, but that's fine. I like the simplicity of that solution.
Cool! ..
In my testing, I did notice the delay when an error was thrown also. But, like you, I prefer the simplicity and will take the hit of the small delay versus the hit of a module with code that I would rather not touch!
Either way you go, I am glad the information found helped you out! I learned some stuff too, so it was a double bonus!
Good luck on your project(s)!
In my testing, I did notice the delay when an error was thrown also. But, like you, I prefer the simplicity and will take the hit of the small delay versus the hit of a module with code that I would rather not touch!
Either way you go, I am glad the information found helped you out! I learned some stuff too, so it was a double bonus!
Good luck on your project(s)!
ASKER
I'll just explain to users that the small delay is "an intentional implementation designed to reduce the effectiveness of brute force attacks."
8)
Thanks again for the assistance that you both provided. I was able to put it all together to do exactly what I was looking for.
8)
Thanks again for the assistance that you both provided. I was able to put it all together to do exactly what I was looking for.
Also, as an alternative to Neilsr's suggestion, here is what I use to determine the groups the current logged in user is in. It returns a pipe delimited list of groups the user is in for the passed domain.
Open in new window
I will use the function like this ...
Open in new window