Double Hop Issue? Tough problem...(For me)

A

Anthony

I am trying to get a users DN by translating the LOGON_USER NT4 format
variable. I am ONLY using windows authentication for security settings:
This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
down.. feel free to paste the code for your own testing.. it works:

----------------- begin paste-- -----------
<%
' logon_user will be in DOMAIN\LANID format (NT4 Format)
logonuser = Request.ServerVariables("LOGON_USER")

'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM
sUserDN = getdn(logonuser)
response.write sUserDN

' and getdn function looks like the following

public function getDN(NT4Name)
' NT4Name DOMAIN\LANID format (NT4 Format)
' Function returns DN from NT4 Name

' Gets the users DN from the DOMAIN/NT Name

sDC = "DC01"

const ADS_NAME_INITTYPE_DOMAIN = 1
const ADS_NAME_INITTYPE_SERVER = 2
const ADS_NAME_INITTYPE_GC = 3

const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_NT4 = 3

Set nto = CreateObject("NameTranslate")
'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
nto.Init ADS_NAME_INITTYPE_SERVER, sDC
nto.Set ADS_NAME_TYPE_NT4, NT4Name
sUserDN = nto.Get(ADS_NAME_TYPE_1779)

getDN = sUserDN
end function
%>

-------------- end paste -----

The error I am getting is the following.. :

error '80090332'
The security context could not be established due to a failure in the
requested quality of service (e.g. mutual authentication or delegation).

-----------

If I am on a Windows 2000 Domain member or higher this works fine.. (I
understand it works when Kerberos Authentication is ok) I have trusted the
IIS server for kerberos authentication so it's working fine provided
Kerberos Authentication is good...

The problem is IF the authentication drops down to NTLM (When using NT4 or a
non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
the above error.. anyway around this??

So, Is there anyway to get a userDN another way? I know my problem is the
local IUSR_Machinename account doesn't have access to the LDAP directory...
so I was hoping to pass credentials through to the DC.

Are there other ways to accomplish this task? Once the DN is known I need
to check their group memberships to determine if they have access to a
particular function within an .asp so I'd have to connect to the ldap
provider multiple times.. not just this once..

Lastly, if there is no way to allow for this to work with the above code
snip.. can I at least trap that error to display "Kerberos not working"
instead of that ugly mess for users? I can't seem to trap that error...

Any help would be much appreciated.. Thank you
 
F

fniles

Hi Anthony,
did you get your problem solved ? I am having the same problem. Thanks.

**********************************************************************
Sent via Fuzzy Software @ http://www.fuzzysoftware.com/
Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,997
Messages
2,570,240
Members
46,830
Latest member
HeleneMull

Latest Threads

Top