Re: ASP using ADSI
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 4 Apr 2006 10:54:07 -0500
Oh, I see. I think I might have answered this question on another thread.
Kerberos auth (which you need for delegation) requires users in AD. You
will only get NTLM authentication with an NT4 user. I don't think the
current approach you have is going to work as a result.
Can you provision some of the users to AD and have the people who need to
switch over?
Sorry for being a .NET snob in my previous post. I've just done all the ASP
I ever want to do, but I can totally understand not being able to jump right
into it without a programming background. It is still a bit of leap for
people coming from scripting backgrounds and MS has a ways to go to solve
that. Unfortunately, since ASP always impersonates the logged on user, it
isn't as easy for you to create a service account and just use its
credentials.
What you might consider doing is switching back to the LDAP provider and
using OpenDsObject religiously, specifying credentials for your service
account in every bind operation. This service account would have delegated
access to the perform the operations you need.
You can also try this with the WinNT provider, but it is notoriously flakey
when supplying credentials, and it is inappropriate anyway for use with AD,
so why even bother? :)
I hope that helps you some. Best of luck,
Joe K.
"JT" <JT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7D76C4F5-540A-4CCA-B349-824BF796EB87@xxxxxxxxxxxxxxxx
Joe,
First of all, let me just say that I am not a programmer by any stretch of
the imagination. I'm using ASP because I know nothing of .net. When I
started this project, I went out looking for scripts that could do what I
needed done, and started using vbscript. I then decided a web interface
of
sorts would be good, since most of the people that will be using it are
not
very computer savvy (trying to be nice...). As for the posting, I wasn't
sure what group would be the best to assist in my problem, so thanks for
taking the time...:)
My environment is an NT4 domain that is being migrated to W2K3 AD domain.
The users reside in the NT4 domain and will continue to do so until all
the
systems are migrated. The groups and the web server, however, are located
in
the W2K3 AD domain. I created a group in the W2K3 AD domain that had
delegation to add/remove users in groups. The web server has delegation
for
kerberos and uses windows authentication, and IE on the client machine has
windows auth enabled. When I originally created the ASP page, I was able
to
get everything working as long as the users, groups, and web server were
in
the W2K3 AD domain. I would bind to everything using LDAP, and the
authenticated user would be able to do his/her thing.
The problems all began when trying to do the same thing with users being
in
NT4 domain. Binding seemed to be an issue, so that is why I went to the
WinNT standard. Now the issues revolve around authentication. From the
web
server, everything works great. From the client machine I can run
vbscripts
directly against AD and they work, but connecting to the ASP and allowing
the
server to perform the operation fails. I've tried many variations of the
GetObject without success. Needless to say, I'm about to pull what little
hair I have left out of my head...:) I decided to try a service account
so
authentication would be done against that account and not an NT4 domain
account - still no luck. I thought about trying to convert the NT4
credentials to DN's. I hope some of this makes sense.
Joel
"Joe Kaplan (MVP - ADSI)" wrote:
A couple of things:
- Coding questions using go in the microsoft.public.adsi.general
newsgroup
:)
- Why on earth would you use WinNT to manage an AD domain? LDAP is the
preferred method.
- I'm a .NET guy, so I usually don't answer the ASP questions. I think
ASP
sucks big time and never want to program in it again. :) However, I
will
try to help.
- When you say you set up a service account, exactly how are those
credentials being used here? ASP will automatically impersonate the
logged
in user, so depending on your security settings in IIS, that will either
be
the authenticated user or the anonymous user.
Joe K.
"JT" <JT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:37C32E1A-A9AB-4BBA-9E80-A918C7F625F6@xxxxxxxxxxxxxxxx
Joe,
The ASP page is basically an access control page being created to give
some
group managers and our help desk the ability to add and remove users
from
groups with access to certain files and folders. I created a group
with
the
delegation of control to add and remove users from groups in an OU, and
placed these individuals in the group. I've created the service
account,
but
it is still failing. It is giving different errors depending on how I
bind
to the objects. Here are some things I've tried so far:
set objDomain = GetObject("WinNT://2003 AD Domain")
set objGroup = objDomain.GetObject("Group", strGroupDN)
objGroup.Add("WinNT://NT4 Domain/" & strMemberDN)
set objUser = GetObject("WinNT://NT4 Domain/" & strMemberDN)
set objGroup = GetObject("WinNT://2003 AD Domain/" & strGroupDN)
objGroup.Add(objUser.ADsPath)
The errors seem to be related to either not finding the path or access
being
denied.
Any thoughts?
Joel
"Joe Kaplan (MVP - ADSI)" wrote:
If you can use a service account in your app to do what you need to
do,
then
that should work fine. This really just depends on what you need to
do
in
your AD query and whether it requires the authenticated user's
credentials
or not.
Kerberos delegation requires the ability to authenticate a user with
Kerberos in the first place, so that isn't going to fly with NT4
users.
I'm
glad you are migrating. :)
Joe K.
"JT" <JT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:14FA4117-9876-44E2-B558-35ABCDC3FB0E@xxxxxxxxxxxxxxxx
Hey Joe,
Thanks for the reply. I think the problem is occuring because of
how
the
domain is configured at the moment. We are in the process of
migrating
from
NT4 domain to 2003. The users are still in the NT4 domain, and the
groups
are in 2003 AD. If I use an account on the remote system within the
AD
domain, the page works. If I log on using an NT domain account, it
gives
me
the error. I'm trying to figure out the best way around this. I
want
to
use
authentication to the page so not just anyone can access it. I'm
thinking
about creating a service account in the 2003 that will be used to
query
AD.
Any thoughts/suggestions on this?
Thanks,
Joel
.
- References:
- Re: ASP using ADSI
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ASP using ADSI
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ASP using ADSI
- From: JT
- Re: ASP using ADSI
- Prev by Date: Re: GPMC sp1 Installation
- Next by Date: Re: Site Topology Design Advice
- Previous by thread: Re: ASP using ADSI
- Next by thread: Pull Replication, Push Replication & Third Replication ?
- Index(es):
Relevant Pages
|
