ASP: Global Domain Group Verification 2

[Snappy2873]

Good afternoon everyone,

I’ve got a security issue that needs some recommendations.

Here’s the scenario:

All my users login to access the company domain which is managed by active directory. I’ve written ASP applications that allow access to the user only if the domain\username (na\cgilbert) is added to a column in my tblUser table(SQL 2k) which is displayed in the following:


Id | empNTLogin | empStatus

1 | na\cgilbert | 2

2 | na\ssmith | 1

3 | na\sjones | 0



The following Function fires a SP that checks to see if the user that’s logged into the network is also in my tblUser.empUserName table(above).

__________________________________________________________________

Function to check NT login:

function CheckNTLogin(strLogin)

'0 - general user

'1 - modify

'2 - admin

'verify user information in the database

'create the recordset object, set the sql and parameters and open the recordset

CheckNTLogin = false

Set objRS = Server.CreateObject("ADODB.Recordset")

call ConnectDB()

strSQL = "qparmVerifyLoginNT '" & strLogin & "'"

objRS.Open strSQL,objCONN,adOpenDynamic,adLockReadOnly

if not objRS is nothing then

if not objRS.BOF and not objRS.EOF then

Session("USER") = objRS.Fields("ID")

Session("ADMIN") = objRS.Fields("empUser")

CheckNTLogin = true

end if

end if

'call DisConnectDB()

end function



_________________________________________________________________

Stored Procedure in SQL

qparmVerifyLoginNT:

CREATE PROCEDURE dbo.qparmVerifyLoginNT

(

@UserName varchar(255)

)

AS

select *

from tblUser (nolock)

where empNTLogin = @UserName

GO

_________________________________________________________________

If the user in my table matches the user logged on, then my search page fires and everything is ok, if not, the page reverts to a “contact admin page”.

So my question is the following, how would I modify this approach to call in global groups from the domain instead of individual users from the domain?

My preferred setup (domain\group) would allow me the ability to add everyone to groups from an active directory standpoint but I cant get it to work.

This would save me about 200 individual users that need to added to the database as well as allow Active directory more management control over the application.



Id | empUserName | empStatus

1 | na\Admin(group) | 2

2 | na\Modify(group) | 1

3 | na\GenAcc(group) | 0



Any help would be greatly appreciated.

 

[markdmac]

Easy, what you need to do is first capture the user ID then bind to it and enumerate all the groups they are a member of. You will find the exact code you need in my login script FAQ. faq329-5798

I hope you find this post helpful.

Regards,

Mark

 

[Snappy2873]

Hey Mark,
In your code are you recommending that it's more appropriate to use a COM component instead vbscript hard-coded into an ASP page? The reason I ask is because of the .vbs ext.
Thanks,
Snappy

 

[Snappy2873]

Hey Mark, me again,
so far your script works like a charm but i'd like to display available groups from the domain in question. I use a simple function to write out my response.writes. For instance, I'll do an RW(DomainString & UserString) which obviously results in the Domain Controller and current user. I tried to write out the "GroupObj.names" to no avail. Is there another way to write out the groups I'm looking for?
Thanks again for your nice script!
Snappy

 

[markdmac]

Regarding your first question, the FAQ is for a login script which gets implemented in a GPO, so it is a VBS file. You can however (as you already tested) use the same code in ASP.

OK, so assuming that you have bound to the user object as UserObj you would do something like this to write out all of the groups the user belongs to.

For Each GroupObj In UserObj.Groups
    Response.Write GroupObj.Name
Next

Note that it is GroupObj.Name and not GroupObj.Name[red]s[/red].






I hope you find this post helpful.

Regards,

Mark

 

[Snappy2873]

Hey Mark,
It's Works like a charm:

For Each GroupObj In UserObj.Groups
RW GroupObj.Name & "<br>"
Next

I've got one more question for you: I've been told by my network people it's not good network management to only have global groups created on the domain managing my web apps. They believe I should create my groups on the server that's serving up my web app (IIS, SQL2k etc) and then add these groups to the global groups on the domain. Knowing this, I've been told the only way for my authentication to work is to create my groups on the domain. Could you give me your professional opinion on this?

Thanks again,
Snappy

 

[markdmac]

I'd like to know how they justify thier statements. I've created many web based applications that talk directly to AD and used Global Groups without incident. If they have any documentation I would be happy to review it.

I hope you find this post helpful.

Regards,

Mark

 

[mrmovie]

this is an old MS recommendation on Local\Global group best practice.
It came about due to the situation in NT domains that you would have multiple domains. Cross domain access was best done in the way M$ suggested.

+ Local group on Local machine.
+ Global Groups in various domains then put those groups into that Local group.

This makes good sense and I would recommend this in a multi NT4 domain scenario.

I doubt this is your situation.

 

[Snappy2873]

Hey Guys,
Well everything was working properly until I moved everything to production. Here's the problem.

My DEV environ:
1. All ASP files and folders are managed by IIS on my local machine.
2. The SQL database is located on our DFWLibrary server.

The following is the security script I use for group auth:

<%

Dim blnLogin : blnLogin = false
Dim dfwNetwork, objDomain, DomainString, UserString, UserObj, GroupObj


'set objects for network
Set dfwNetwork = CreateObject("WScript.Network")

'Automatically find the domain name
Set objDomain = getObject("LDAP://rootDse")
DomainString = objDomain.Get("dnsHostName")


'Grab the user name
UserString = dfwNetwork.UserName

'Bind to the user object to get user name and check for group memberships later
BOMBS RIGHT HERE BUT i CAN "RW" THE DOMAINSTRING AND USERSTRING RIGHT AFTER I DEFINE THEM.
Set UserObj = GetObject("WinNT://" & DomainString & "/" & UserString)

For Each GroupObj In UserObj.Groups
RW GroupObj.Name & "<br>"
Next

'Now check for group memberships
For Each GroupObj In UserObj.Groups
Select Case GroupObj.Name

'Check for group memberships and take needed action
'In this code below, DFW_TL_Admin, DFW_TL_Modify and DFW_TL_Gen are GLOBAL DOMAIN groups.
Case "DFW_TL_Admin"
if len(Request.ServerVariables("LOGON_USER")) > 0 then
if CheckNTGroup(GroupObj.Name) = true then
blnLogin = true
end if
end if
Case "DFW_TL_Modify"
if len(Request.ServerVariables("LOGON_USER")) > 0 then
if CheckNTGroup(GroupObj.Name) = true then
blnLogin = true
end if
end if
Case "DFW_TL_Gen"
if len(Request.ServerVariables("LOGON_USER")) > 0 then
if CheckNTGroup(GroupObj.Name) = true then
blnLogin = true
end if
end if
End Select
Next
%>


My PROD environ:
1. All ASP files and folders are managed by IIS on the DFWLibrary server.
2. The SQL database is located on our DFWLibrary server.


So when I go to my application from my client:

http://dfwlibrary/techlibrary/

the security bombs with a "no network connection" error.

But when I log onto a remote session on the DFWLibrary server and use IE locally everything works fine.

Any suggestions would be greatly appreciated!

Thanks in advance,
Snappy

 

[markdmac]

How do you have the SQL connection setup in your ASP code?

Do you have a System DSN on the server? How about on the workstations?

I hope you find this post helpful.

Regards,

Mark

 

[Snappy2873]

About the SQL Connection:
I start by saving a notepad doc to the desktop as "test.udl". I then open up the data link file and configure it to my ODBC connection, test it and close the doc. I then open the "test.udl" file in notepad and copy/paste the connect string into my code.
For instance, I have a "constant.asp" file that includes my connect string(strConnect) as well as my upload file, web paths and variables. It goes something like this:

<%
dim strConnect : strConnect = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=Techlibrary;Data Source=dfwlibrary;"
dim strPath : strPath = "D:\webappdocs\documents\"
dim strWebPath : strWebPath
= "//Dfwlibrary/webappdocs/documents/"
'***************************************************************************************************************************************
dim objCONN, objRS, strSQL, searchtext, searchfield, blnCont, intUSER, objRS_ADD, objRS_ORD, intPRICE, intTOTAL, intCounter, strClass, objRS_DEL
dim intG_TOTAL, strSTATE, objRS_ST, objRS_STATES, strDEPT, objRS_DP, objRS_DEPTS, strLOCATION, objRS_LC, objRS_LOCATIONS, strReceivedby, objRS_RB
dim objRS_Receivedby
set objCONN = Server.CreateObject("ADODB.Connection")
set objRS = Server.CreateObject("ADODB.Recordset")
%>


I also call another ASP page with my functions including the connect function which is included in every ASP page:

function ConnectDB()
Set objCONN = Server.CreateObject("ADODB.Connection")
objCONN.open strConnect
end function

The connection works properly for now, the other questions you asked I'll have to get to menana.

Thanks,
S

 

[markdmac]

Well, even with not knowing your application this seems like an awefully strange way of doing this to me.

On the server side you can have the data connection be available to the entire web application by configuring in the web.config file.

It is also possible to set up a system DSN via vbscript so that all client PCs would have a DSN before even reaching the web site.

I don't think I can add much more value here and would suggest that you try posting in the ASP forum.

I hope you find this post helpful.

Regards,

Mark