Determine if user is in AD group

[CJM]

I need to be able to determine if the user is a member of a given AD group.
I have a method of doing this, but it is not suitable for 64bit OS's, so I
need to find an alternative route. I actually think an alternative route
might actually be a better route.

I'm not an ADSI expert (frankly, I find it confusing) and I don't want to
learn any more - I just want to be able to do this one thing.

How do you guys go about achieving this?

I found one method that worked on my development machine but not on the
server:

Dim COURTHOUSE, WshNetwork, existingDrives, ADSysInfo, CurrentUser,
UserName, ComputerName
Dim strGroups, oGroup,x

Set WshNetwork = CreateObject("WScript.Network")

Set existingDrives = WshNetwork.EnumNetworkDrives

Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write ADSysInfo.UserName & "<BR><BR>"
Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName) <<== error
on server

UserName = LCase(wshNetwork.UserName)

ComputerName = LCase(WshNetwork.ComputerName)

Response.Write UserName & " " & ComputerName

Select Case VarType(CurrentUser.MemberOf)
Case 8
strGroups = LCase(CurrentUser.MemberOf)
Case 8204
strGroups = LCase(Join(CurrentUser.MemberOf))
End Select

Response.Write strGroups


Ok, it's not polished code, but it works locally. However it produces a
'80072020' on the stated line. It seems to be a permissions issue of some
sort, but I can't find a solution.

Any ideas?

Thanks in advance.

Chris

 

[Luke Zhang [MSFT]]

Hello Chris,

Your code looks flawless. I also double it is a security issue. To query AD
information, we need use at least a domain user's permission. I suggest you
may first check what is the account your ASP application is running with.
If you are working with IIS 6, the account should be specified at the
application pool's identity; If it is IIS 5, you need to the identiy of IIS
application in Components Services manager.

BTW, to confirm if this is a security issue, you may logon on the target
server with a domain user account, and create a VBS file with following
code:

Set WshNetwork = CreateObject("WScript.Network")


Set ADSysInfo = CreateObject("ADSystemInfo")

msgbox ADSysInfo.UserName

Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)

UserName = LCase(wshNetwork.UserName)

ComputerName = LCase(WshNetwork.ComputerName)

msgbox UserName & " " & ComputerName

Select Case VarType(CurrentUser.MemberOf)
Case 8
strGroups = LCase(CurrentUser.MemberOf)
Case 8204
strGroups = LCase(Join(CurrentUser.MemberOf))
End Select

msgbox strGroups

If above code can execute successfully, we can make sure it is an ASP
security issue.

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[CJM]

Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)

[snip]


If above code can execute successfully, we can make sure it is an ASP
security issue.

Luke,

If I call the script when logged in to the server, it runs fine. If I call
the page from another workstation, it fails at the line above.

In both cases, the application pool use the Network Service as it's
identity. I created another application pool and gave it the same identity
as I use for SQL Server (basically a standard domain user), and I added my
app to this pool. When I try the test page, I get an almost-blank 'Service
Unavailable' page.

I tried setting the Identity to my user account (I'm a domain admin), but
even this didnt work - it still says Service Unavailable.

Any ideas?

Thanks

Chris

 

[Luke Zhang [MSFT]]

Is your user account (domain admin) also a loca admin on the server? And,
is the application pool is started when you got the error "Service
Unavailable."?

Thanks,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[CJM]

[Follow-ups set to m.p.i.iis]

Luke,

The latest situation is this:

I've created a domain user specifically to use as the identity for new
application pool, and I've added it to the IIS_WPG group on the local
machine. This group also has file-level priveleges to the whole application.

So IIS reports that the application pool is working OK, and the Security Log
in the Event Viewer seems to confirm that everything is OK.

When I access the test page from the server, it works fine. When I try to
access it from any other machine, I now get a username/password dialog. And
no matter what I enter into this, it just keeps coming back. If I press
escape, I get a HTTP 401.1 error - "Unauthorized: Access is denied due to
invalid credentials"

For newcomers to this thread, I'm running IIS6 on Win2k3; I'm trying to use
Integrated Authenication to determine the user, and more importantly,
whether they are a member of a particular AD group - see below for original
thread.

Any suggestions?

Thanks

Chris



Original thread:

"I need to be able to determine if the user is a member of a given AD group.
I have a method of doing this, but it is not suitable for 64bit OS's, so I
need to find an alternative route. I actually think an alternative route
might actually be a better route.

I'm not an ADSI expert (frankly, I find it confusing) and I don't want to
learn any more - I just want to be able to do this one thing.

How do you guys go about achieving this?

I found one method that worked on my development machine but not on the
server:

Dim COURTHOUSE, WshNetwork, existingDrives, ADSysInfo, CurrentUser,
UserName, ComputerName
Dim strGroups, oGroup,x

Set WshNetwork = CreateObject("WScript.Network")

Set existingDrives = WshNetwork.EnumNetworkDrives

Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write ADSysInfo.UserName & "<BR><BR>"
Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName) <<== error
on server

UserName = LCase(wshNetwork.UserName)

ComputerName = LCase(WshNetwork.ComputerName)

Response.Write UserName & " " & ComputerName

Select Case VarType(CurrentUser.MemberOf)
Case 8
strGroups = LCase(CurrentUser.MemberOf)
Case 8204
strGroups = LCase(Join(CurrentUser.MemberOf))
End Select

Response.Write strGroups


Ok, it's not polished code, but it works locally. However it produces a
'80072020' on the stated line. It seems to be a permissions issue of some
sort, but I can't find a solution.

Any ideas?

Thanks in advance.

Chris "

 

[Luke Zhang [MSFT]]

Hello Chris,

You may first check the "Directory Security" of the virtual folder in IIS
manager, is only the "integrated windows authentication" checked? Also,
when access it from other computer, are both of the two computers in same
domain?

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[CJM]

Yes, only Windows Authentication is enabled.

Yes, all the computers are on the same Domain

Chris

 

[Luke Zhang [MSFT]]

Hello Chris,

On the client computer, you may open IE, click Tools\internet
options\Advanced\Security, is the option "enable integrated windows
authentioncation" checked? Also, does the problem occur with other web
applications on the same server?

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[CJM]

Hello Chris,

On the client computer, you may open IE, click Tools\internet
options\Advanced\Security, is the option "enable integrated windows
authentioncation" checked? Also, does the problem occur with other web
applications on the same server?

Luke,

Yes, all instance of IE have IWA enabled.

The problem is one of design. I have a number of instances where I would
like to use this technique, if only I could get it working. The problem is
consistent across all servers. It's not a fault with one - it's a design
fault with this technique. However, I still don't know where that fault
lies.

All I want to do is to be able to use IWA to detect which user is running
the app, and to then query AD to determine which user groups the user is in,
so I can convey them suitable rights to the application.

So far I have created an application pool with a Domain User as an Identity,
and I have enable IWA for this application.

The code I was hoping to use (that you have already verified) works if you
call if from the server (ie you log in to the server to access the
application), but gives a 401.1 error if you access it from any other
workstation.

If I leave the application in the default application pool, the code works
when you run it from the server, but if you run it from another machine you
get a 80072020 error at this line:

Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)

My objective is clear and should be easily acheivable - I'm not bothered
about which technique I use (if there are more than one).

CJM

 

[Luke Zhang [MSFT]]

Hello,

from the problem description, the web servser didn't get the correct
credential when you access the web page from client side. Is there proxy or
firewall between the two computers? Also, you may perform such a test, on
the virtual folder properties, only enable Basic authentication (leave
anonymous and IWA unchecked), and then reset the IIS , test on another
computer. When you access the page, it will pop up a dialog for your
windows account, input the account include domain name here. Can this make
it work? If this worked, we can ensure that the problem should be with your
IIS (maybe IWA), we may perform further trouble shooting on that.

Regards,

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[CJM]

Hello,

from the problem description, the web servser didn't get the correct
credential when you access the web page from client side. Is there proxy
or
firewall between the two computers? Also, you may perform such a test, on
the virtual folder properties, only enable Basic authentication (leave
anonymous and IWA unchecked), and then reset the IIS , test on another
computer. When you access the page, it will pop up a dialog for your
windows account, input the account include domain name here. Can this make
it work? If this worked, we can ensure that the problem should be with
your
IIS (maybe IWA), we may perform further trouble shooting on that.

Right... I've found a solution to the dialog popping up when I access my
test page (or any other page) from a client machine. See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;871179

I've created an SPN for the Application pool user.

However, that merely brings us back to square one! When I run our test page
I am getting the following error:

"Test page:

CN=My Name,OU=MyOU1,OU=MyOU2,DC=MyDomain,DC=net

error '80072020'
/fxdb/test.asp, line 31 "

where line 31 is - "Set CurrentUser = GetObject("LDAP://" &
ADSysInfo.UserName)"


I tried opting for basic authentication - this actually worked from remote
machine... so this suggests the problem lies with IIS??

 

[Luke Zhang [MSFT]]

Since the Basic authentication work for the remote access, we may perform
more test on the IIS authentication. If you set the IIS only use NTLM as
the article suggest:

1. Start a command prompt.
2. Locate and then change to the directory that contains the Adsutil.vbs
file. By default, this directory is C:\Inetpub\Adminscripts.
3. Type the following command, and then press ENTER:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
4. To verify that the NtAuthenticationProviders metabase property is set to
NTLM, type the following command, and then press ENTER:
cscript adsutil.vbs get w3svc/NTAuthenticationProviders

Will this help?

Luke Zhang
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)