AD authentication for ASP Pages? 1

[jsteph]

Hi all,
I have classic ASP site on our corporate intranet, and I want to either integrate directly with our Active Directory or authenticate via AD.

Basically I need to know who's logged in, and I'd prefer not to have to use a separate username in a table built by me, and I'd also prefer not to have them type in anything at all--my main concern is just to validate *who* they are, and I can control what they see once I know who they are.

From what I've read, I'd need to run an activex control on their browser, which would be ok since it's a corporate environment and via policy we can allow such a control, but Id really like the least invasive way possible to just get the AD username of the machine making the page request.
Thanks for any help,
--Jim

 

[foxbox]

It is possible to do something like this:

<table>
<%
Set oConn = Server.CreateObject("ADODB.Connection")
Set oRS = Server.CreateObject("ADODB.Recordset")
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider" 

cSQL = "SELECT displayName, givenName, Cn, SN, mail FROM 'LDAP://ts01nl' " & _
         "WHERE objectCategory = 'Person' " & _
         "AND objectClass = 'User' " & _
         "ORDER BY displayName"
oRS.open cSQL, oConn
do While Not oRS.EOF
  Response.Write "<tr><td>" & oRS("Cn") & "</td>" &_
        "<td>" & oRS("SN") & "</td>" &_
        "<td>" & oRS("givenName") & "</td>" &_
        "<td>" & oRS("displayName") & "</td>" &_
        "<td>" & oRS("mail") & "</td></tr>"
  oRS.MoveNext
 Loop
 oRS.Close
 Set oRS = Nothing
%>
</table>

BTW: the SQL instruction set for AD is limited.
Google around

 

[foxbox]

Alternatively do it with LDAP syntax:

<table>
<%
Set oConn = Server.CreateObject("ADODB.Connection")
Set oRS = Server.CreateObject("ADODB.Recordset")
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider" 

cSQL ="<LDAP://ou=yyyyyy,dc=xxxxxx>;" &_
       "(&(objectClass=user)(objectCategory=Person));" &_
       "displayname,SN,givenname,mail,Cn;subtree"

oRS.open cSQL, oConn
do While Not oRS.EOF

  Response.Write "<tr><td>" & oRS("Cn") & "</td>" &_
        "<td>" & oRS("SN") & "</td>" &_
        "<td>" & oRS("givenName") & "</td>" &_
        "<td>" & oRS("displayName") & "</td>" &_
        "<td>" & oRS("mail") & "</td>"
  oRS.MoveNext
 Loop
 oRS.Close
 Set oRS = Nothing
%>
</table>

 

[jsteph]

foxbox,
Thank you, but won't that return every user in AD?
What I'm looking to do is, as the user opens the main page of the intranet app, ASP has, for example:

dim strClientIP,strADName
strClientIP= Request.ServerVariables("REMOTE_ADDR")
strADName = Request.ServerVariables("WHAT DO I PUT HERE?")

So strClientIP is the user's workstation. Now what I want is the user's windows login name. I can't find it as a request variable.

I saw some code that might fetch an AD username via the workstation IP, but I'm hoping I can get something more sure-fire and direct.

Do you know of any way I can, from the asp page, fetch that username?
--Jim

 

[guitarzan]

Use Windows Authentication (IIS Manager > website Properties > Directory Security tab), and then

strADName = Request.ServerVariables("AUTH_USER")

should give you what you want.

 

[foxbox]

yes, it was just a sample to get you into a direction.
Request.ServerVariables("AUTH_USER") will give the userid of the user, and my assumption was that you wanted more info then that.

 

[jsteph]

guitar, foxbox,
Thanks, but that returns blank. The user never officially logs on to the site--they're just logged onto windows, they open a browser, and the site is set up for anonymous--and it must stay that way.

The point is, I'm within a corporate domain, they're logged onto windows, shouldn't I be able to know who they are without bothering them with logging in each time?

I ask because this is one site of many. I don't want them to have to type in their same user/pwd every time they open an intranet web site. They already logged onto windows and it seems to me that there should be some way to know who's hitting the website. I can fully understand that a public internet website shouldn't be able to find out my private pc's user login info, but within a corporate intranet I would think that IIS should have some way if getting this info without re-logging in.
Is this at all possible?
Thanks,
-Jim

 

[foxbox]

You need to change the authentication in the IIS.
IIS console
Web Site Properties
Directory security

and disable anonmyous access and set Integrated Windows authentication ON.

 

[jsteph]

foxbox,
I'm fairly sure I've tried that...and I think the issue was that this website does some things needing higher permissions than the standard user has.

For example, there's a bit of code that I use to write excel files to a directory on the IIS server, which the user then opens in a separate window via a button on the asp page. I don't want them having rights to write to the server folder--but of course the .asp page must have these rights. For Anonymous access, I'd created a user with specific rights to the certain folder and some other things--rights which I don't want to have to manage for all these website users.

If I'm off base, let me know. Using that integrated authentication does sound like the way I'd like to go, but--and maybe this is a subject for a different thread--But I continue to struggle with how to deal with permissions.

The excel example is a perfect example--I want low-rights users to be able to use the site. But the code on the site must be able to write to different folders on the server. However it seems like the .asp page, as it runs, only runs with permissions of the user who logged in (if i'm using integrated authentication).
I welcome any advice on this,
Thanks,
--Jim

 

[foxbox]

Mmmmmm, multiple approaches here.

With "Integrated Windows authentication = ON" your users MUST login onto the domain, which you need in order to know who they are (at least the domain userid)

Allow anonymous acces, typical for IUSR_<servername>.
Your scripts will access the filesystem with that user, so you need to set NTFS rights for the correct folder(s).

Of course you need to check all this, even while its 'only' an intranet..

 

[jsteph]

foxbox,
Thanks very much! I think I can make this work,
--Jim

 

[emozley]

One of my favourite methods for extracting the username is a bit of code I found here on Tek-Tips some years ago:

Set Login = Request.ServerVariables("LOGON_USER")
L=Len(Login)
LL=InStr(Login, "\")
StringLen=L-LL
User = (Right(Login, StringLen))

 

[foxbox]

looks like my own:

cLogin_User = ucase(Request.ServerVariables("LOGON_USER"))

if cLogin_User = "" then 
 response.Redirect "loginpage.asp"
end if


' Remove domain name
cLogin_User = Right(cLogin_User, Len(cLogin_User) - InStr(cLogin_User, "\"))