Re: ADSI Problem
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Jan 2007 22:28:12 -0600
Why not just let IIS authenticate the users? If the web server is a domain
member, you can just turn on Basic, Digest or IWA auth and it will just
work.
If you are doing forms authentication using ADSI (which it sounds like you
are trying to do) and want to authenticate against AD, you really should be
using the LDAP provider, not WinNT. I generally don't recommend using ADSI
for authentication (and neither does Microsoft) as it does not scale well.
However, that doesn't sound like the problem you are having (although it
might be if the app is very heavily used).
You'd have more and better options if you switched to .NET for your web apps
(ActiveDirectoryMembershipProvider for one), but it sounds like you got a
big existing base in older technologies like ASP.
Another option is to look at ADFS to implement web SSO, but that might be
too big of a bite to chew off. It does support older app platforms, but in
Windows token mode, which might not be a way you are used to doing identity
integration in your apps.
In general, I tend to recommend staying away from the WinNT provider except
for doing stuff with the local machine or NT4 domains.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"robinwilson16" <robinwilson16@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B683DC84-4966-4D49-9901-8D37510AAE03@xxxxxxxxxxxxxxxx
Well the main goal is that all domain users will be able to log on to the
various web applications as at the moment everyone has different usernames
and password for all the resources and it is very confusing.
I thought I had found the answer and re-wrote the applications to use ADSI
to authenticate users instead of using local databases. It worked
eventually
for the less heavily used ones although IIS needed restarting every few
days
to keep it working but putting it on a vb web application that is heavily
used and the ADSI script stops working after about 5 minutes.
I still think this is the best option. I have had a look at ADAM but it
seems I would need to constantly update the local ADAM schema when new
users
are added or they change their passwords. It also says that it does not
sync
passwords in the documentation??? I tried the method in the documentation
to
sync an active directory object (i.e. the users) at home on a test domain
and
it wouldn't work.
Do you have any ideas how I can get this to work without increasing
security
risks by joining the web server to the domain?
Thanks for the help
Robin
"Al Mulnick" wrote:
To know if ADAM was something you could use, we'd need to know more about
your design goals and such.
What is it you want to accomplish and what do you have to work with?
I suspect that at this point changing authentication mechanisms is not
the
answer to your problem. That's just a guess though as your situation may
dictate that you do so.
Al
"robinwilson16" <robinwilson16@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:0E5CB532-910C-467E-8C79-EE9A3ED61FE6@xxxxxxxxxxxxxxxx
Hello
That string is WinNT://school.local/userid
It always works on the member server and sometimes on the webserver.
It's
just too tempremental to use as a solution at the moment.
Could I use ADAM to get it to authenticate with localhost instead? Not
sure
how I would go about setting it up though.
I can always ping school.local whether it works or not.
I don't really want to add the webserver to the domain either for
security
reasons.
Either authentication works straight away or it hangs for about 5
seconds
and fails.
It would be less frustrating if it didn't work at all!
"QuaffAPint" wrote:
What is strAdsPath that is getting passed - what does it look like?
Are you passing the user like 'domain\userid' ?
-Matt
On Jan 15, 9:19 am, robinwilson16
<robinwilso...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanks for the reply
I have tried with LDAP:// instead of WinNT:// and it is still the
same
and
also with the IP address instead of the domain name
Do you know how I can also the script to make it work all the time.
I only need a simple login script which authenticates users via AD
and
sets
up a session.
The script seems to allow so many users to log in and then it
breaks.
Restarting IIS usually gets it working again. This seems like very
strange
behaviour???
I will try posting at vbscripting too, thanks
Robin
"Al Mulnick" wrote:
Honestly? It surprises me that it works at all. I wouldn't have
thought
mixing WINNT provider with adspath would work as you have it.
IADS sometimes surprises me though :)
You may want to post this on the VBScripting news groups and
possibly
for
IIS. You may also want to check the IIS logs to see what errors
you're
throwing. You have no authentication mechanism that I see in
there,
so
you're relying on anonymous connections (and using WINNT provider)
meaning
that you should be logging some attempts (if not try enabling
auditing to
see them better) to the domain.
"robinwilson16" <robinwilso...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:AA50061B-2F91-41D8-92DC-DC38D21B5460@xxxxxxxxxxxxxxxx
Hello
I have written a script to authenticate Active Directory users
via
ADSI
within a vb script in IIS.
It works fine on one pc which is a member server.
But on the webserver which is not part of the domain, the script
works ok
for a while then stops working with the following errors when
attempting
to
authenticate the users:
Error: 424
Description: Object Required
Error: -2147023677
Description: Object Required
Restarting IIS normally fixes it until it stops working again.
Please can someone tell me why this might be happening.
The code is below:
Thanks
Robin
'Get the username and password from the form
Dim strUserName
strUserName = Request.Form("username")
Dim strPassword
strPassword = Request.Form("password")
'Get the page action
Dim act
act = Request.Form("act")
Dim iFlags
iFlags = Request.Form("Flags")
'If the action is authenticate
if act = "auth" then
'If the AD path is not empty
if (not strADsPath= "") then
'Bind to the ADSI object and authenticate the user
Dim oADsObject
Dim objUser
Dim objGroup
Dim accountDisabled
Dim accessLevel
Dim isAdmin
Dim isTeacher
Set oADsObject = GetObject(strADsPath)
Dim strADsNamespace
Dim oADsNamespace
strADsNamespace = left(strADsPath, instr(strADsPath, ":"))
set oADsNamespace = GetObject(strADsNamespace)
Set oADsObject = oADsNamespace.OpenDSObject(strADsPath,
strUserName,
strPassword, 0)
'Set up a user object to enable information about the user to be
obtained
Set objUser = GetObject("WinNT://school.local/" & strUserName )
'Set up a group object to enable group information to be
obtained
Set objAdminGroup = GetObject("WinNT://school.local/" &
adminGroup )
Set objTeacherGroup = GetObject("WinNT://school.local/" &
teacherGroup )
'Boolean to say whether a user is a member if the given group
isAdmin = objAdminGroup.IsMember(objUser.ADsPath)
isTeacher = objTeacherGroup.IsMember(objUser.ADsPath)
'If there was an error
if not (Err.number = 0) then
...
.
- Follow-Ups:
- Re: ADSI Problem
- From: robinwilson16
- Re: ADSI Problem
- From: robinwilson16
- Re: ADSI Problem
- From: robinwilson16
- Re: ADSI Problem
- References:
- ADSI Problem
- From: robinwilson16
- Re: ADSI Problem
- From: Al Mulnick
- Re: ADSI Problem
- From: robinwilson16
- Re: ADSI Problem
- From: QuaffAPint
- Re: ADSI Problem
- From: robinwilson16
- Re: ADSI Problem
- From: Al Mulnick
- Re: ADSI Problem
- From: robinwilson16
- ADSI Problem
- Prev by Date: Re: Reestablish Trusts - 2003 Server Upgrade
- Next by Date: Re: Reestablish Trusts - 2003 Server Upgrade
- Previous by thread: Re: ADSI Problem
- Next by thread: Re: ADSI Problem
- Index(es):
Relevant Pages
|
