Re: Double Hop Issue? Tough problem...(For me)
From: Anthony (antgoodlife_at_yahoo.com)
Date: 08/18/04
- Next message: Jonathan LaRosa: "include file that is outside of web directory"
- Previous message: Bob Lehmann: "Re: Strange Recordset/Query Problem"
- In reply to: Anthony: "Double Hop Issue? Tough problem...(For me)"
- Messages sorted by: [ date ] [ thread ]
Date: 18 Aug 2004 11:35:09 -0700
Is there another group I should post this in?
thanks..
"Anthony" <antgoodlife@nospam.comcast.net> wrote in message news:<efaXG6KhEHA.1276@TK2MSFTNGP09.phx.gbl>...
> I am trying to get a users DN by translating the LOGON_USER NT4 format
> variable. I am ONLY using windows authentication for security settings:
> This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
> down.. feel free to paste the code for your own testing.. it works:
>
> ----------------- begin paste-- -----------
> <%
> ' logon_user will be in DOMAIN\LANID format (NT4 Format)
> logonuser = Request.ServerVariables("LOGON_USER")
>
> 'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM
> sUserDN = getdn(logonuser)
> response.write sUserDN
>
> ' and getdn function looks like the following
>
> public function getDN(NT4Name)
> ' NT4Name DOMAIN\LANID format (NT4 Format)
> ' Function returns DN from NT4 Name
>
> ' Gets the users DN from the DOMAIN/NT Name
>
> sDC = "DC01"
>
> const ADS_NAME_INITTYPE_DOMAIN = 1
> const ADS_NAME_INITTYPE_SERVER = 2
> const ADS_NAME_INITTYPE_GC = 3
>
> const ADS_NAME_TYPE_1779 = 1
> const ADS_NAME_TYPE_NT4 = 3
>
> Set nto = CreateObject("NameTranslate")
> 'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
> nto.Init ADS_NAME_INITTYPE_SERVER, sDC
> nto.Set ADS_NAME_TYPE_NT4, NT4Name
> sUserDN = nto.Get(ADS_NAME_TYPE_1779)
>
> getDN = sUserDN
> end function
> %>
>
> -------------- end paste -----
>
> The error I am getting is the following.. :
>
> error '80090332'
> The security context could not be established due to a failure in the
> requested quality of service (e.g. mutual authentication or delegation).
>
> -----------
>
> If I am on a Windows 2000 Domain member or higher this works fine.. (I
> understand it works when Kerberos Authentication is ok) I have trusted the
> IIS server for kerberos authentication so it's working fine provided
> Kerberos Authentication is good...
>
> The problem is IF the authentication drops down to NTLM (When using NT4 or a
> non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
> the above error.. anyway around this??
>
> So, Is there anyway to get a userDN another way? I know my problem is the
> local IUSR_Machinename account doesn't have access to the LDAP directory...
> so I was hoping to pass credentials through to the DC.
>
> Are there other ways to accomplish this task? Once the DN is known I need
> to check their group memberships to determine if they have access to a
> particular function within an .asp so I'd have to connect to the ldap
> provider multiple times.. not just this once..
>
> Lastly, if there is no way to allow for this to work with the above code
> snip.. can I at least trap that error to display "Kerberos not working"
> instead of that ugly mess for users? I can't seem to trap that error...
>
> Any help would be much appreciated.. Thank you
- Next message: Jonathan LaRosa: "include file that is outside of web directory"
- Previous message: Bob Lehmann: "Re: Strange Recordset/Query Problem"
- In reply to: Anthony: "Double Hop Issue? Tough problem...(For me)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
