[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Authenticate to Active Directory from a local PC account

Posted on 2014-08-29
16
Medium Priority
?
182 Views
Last Modified: 2014-09-02
I would like to have a PC that is logged in as a local (no domain) user and then have a VB program that will authenticate with a given domain username and password (please don't ask why, it's a long story!).

So the computer would be logged in as something like LocalUser1 and then the domain user (let's say bob.smith) would launch a VB program that would authenticate him to AD and map his drives.  Mapping drives is not an issue, but I need to make sure authentication is done in a way that my web filter will know that bob.smith is logged in (the filter is tied into AD with LDAP).

First, I'd like to know if this is even possible.  If it is, then what type of authentication would I need to establish?
0
Comment
Question by:bpl5000
  • 9
  • 7
16 Comments
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 40294057
Vb has an active directory interface part of the parameters include credentials.

.the difficulty you may run into deals with security settings that will not allow a non-client/member from accessing the resource.
You may need to use adsi to adjust and allow ldap connections.

...
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40294352
The only thing I'm really concerned about is our webfilter seeing the user bob.smith as being the one browsing from that workstation.  The workstation would be part of the domain, but would be logged in as a local user.  I don't know exactly how AD tells the webfilter who is authenticated at that IP.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40294686
These are two separate issues.

You need to handle the access through the proxy.
Then you would deal with access to the AD.


You limited in your question on asking why, so the sequential auth to the different components is what is required.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Author Comment

by:bpl5000
ID: 40294950
Different users have different access thru the webfilter and that is determined by what groups the AD user is in.  We log into our workstations (authenticating to AD) and that is then passed on to the webfilter and access is given according to your AD membership.  The webfilter is also our firewall and it works in transparent mode rather than proxy.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40294979
It likely handles NTLm, so your connection attempt, will be "prompted" for credentials which your script has to handle.

Access to the AD impossibly does not get filtered, since on logon, user credentials are unknown and computer based account might not be ..........
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40295056
Access to the AD impossibly does not get filtered

I don't understand what you are saying.  I'm not an expert at web filtering, but I think what happens is I log into a workstation and IP address is given to AD.  Our web filter is tied into AD because we setup an LDAP connection using AD credentials.  So when Bob.Smith logs in, his IP address is passed onto AD.  That info reaches our web filter because it can query AD given that it's connected thru LDAP.

We never have to provide credentials to our web filter.  I log into my workstation, and the web filter applies a policy according to the AD group that I am in.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40295365
So after doing some research, it seems that AD does not hold the IP for users.  I'm not sure how the web filter gets that info.  So how does the web filter know the AD user?
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40295387
So I'm guessing the web filter works with NTLM, but the user is not prompted for credentials.  It looks to me like this is all done in the "type 3 message"...
http://davenport.sourceforge.net/ntlm.html#whatIsNtlm

So I'm guessing NTLM forwards the username of the user who is logged in.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40295594
NTLM is handled by the web browser when the access is through a trusted source. I.e. using a IE as a browser you try to access www.experts-exchange.com when the request hits the webfilter, the browser gets a response auth needed. At that point it passes the user's "credentials."
Get a chrome, or a Firefox browser and try the same thing, and the browser should display the auth request/prompt.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40296053
We do not get prompted in Firefox because we use the "Network.automatic-ntlm-auth.trusted-uris" setting within Firefox.  But you are right... if we did not use that setting, we would get a prompt.  As for Chrome, it never prompts because it utilizes the same settings that IE uses – that is the Control Panel > Internet Options.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40296570
At that point it passes the user's "credentials."

So the credentials would be that of the local user that is logged in.  I'm guessing these credentials are cached some place?  Is it possible to replace these credentials?
0
 
LVL 81

Expert Comment

by:arnold
ID: 40297144
We are talking about two different things.  The handling when one uses a browser and the process your script has to handle.  
The browser when logged in as a local user, The browser upon providing the local credentials will get a deny/authorization failed response as long as the local user and the AD users with the same password do not exist.
At this point, the browser will trigger the authentication mechanism and will prompt the user for information.

In your case, your VB app/script will need to take care to handle the interaction.
i.e. access requested to connect, getting a response from the webfilter to authenticate, then construct the correct authentication response with whatever credentials you have. then see if it passes the webfilter check.  at that point, your script will be assigned a parameter/or will need to include the authentication parameter with every future request.
The only thing I can provide is the process your script has to handle.

It is peculiar why a joined computer, will need to use a local account, given that an AD computer caches the credentials that are successfully authenticated when the system is connected to the LAN.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40297495
It is peculiar why a joined computer, will need to use a local account, given that an AD computer caches the credentials that are successfully authenticated when the system is connected to the LAN.

I didn't want to get into the reason why (which is why I said please don't ask why), but since you asked, this is why.  We are testing a VDI solution that disconnects all of the user when one user logs off.  If I have the system using local accounts, then no one will be logging off.  It would just be a workaround while we discover the reason why the disconnects are happening.  It might be poor programming on the part of the VDI software or maybe a GPO setting in our environment.  Using local accounts is just a plan B, I am first testing a few things to see if we can resolve the issue.

If we are unable to resolve the issue quickly, then we will use local accounts until we track down the problem.  It's difficult because it's one of those intermittent and random issues.  There would be some advantages to using local accounts too.  I could have the VB program go full screen and the users would think they are logging into a workstation, but it would take 2 seconds for them to get to their desktop.  The only issue I would have is the webfilter (I already know how to give them access to their shares).  I think they would have to provide their credentials again because I have no idea how I would handle authentication to the webfilter thru the VB program.  Also, I would NOT want the VB program to be running in the background all the time.  I would want it to connect the users to their resources and exit.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40297643
Disconnects from where the VDI environment?

Check the DC security log, check the event.

Does the Vdi deploy a unique "system" to each user, or are they all using the same identicalVDI?

http://technet.microsoft.com/en-us/video/microsoft-virtual-desktop-infrastructure-vdi-explained.aspx

I think expending time as you have, might not be as efficient as using the effort to identify why the TS issues disconnects to all users when one session ends.
0
 
LVL 5

Author Comment

by:bpl5000
ID: 40298880
Hence the reason I did not want to explain why!  Of course we checked the DC security log (and all event logs on the DC and the VDI server).  I suppose if I asked "how do I get to the 7-Eleven, I'd get the reply, "why do you want to go to the 7-Eleven?  It would be much more efficient to go to Walmart."  But I don't like Walmart!
0
 
LVL 81

Expert Comment

by:arnold
ID: 40298948
At times a context for the question is important to identify a possible solution that was not considered.
Using your analogy, there might be a 7-eleven closer to you but might be in a neighboring city.

Are using the broker to deal with VDI access requests?
Is the logout occur when a user logs off from the VDI session?
Is the VDI configured as shared space among the users?
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Hello there! As a developer I have modified and refactored the unit tests which was written by fellow developers in the past. On the course, I have gone through various misconceptions and technical challenges when it comes to implementation. I would…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question