| Author |
 Topic  |
|
|
rburriel
Starting Member
2 Posts |
 Posted - 26 November 2001 : 16:08:27
|
Hi there,
I'm running Snitz on a Windows NT 4.0 server with IIS 4. I've set it to NT authentication (no problem there). But if I set it to auto logon or to use NT groups, then I get the following message:
error '80070035'
The network path was not found.
/board/inc_functions.asp, line 1263
The error is caused by the GetObject("WinNT://"+strNTUser) command in the inc_functions.asp file. Now, I know this works because I set it up on a different NT 4.0 server with IIS 4.0 (my desktop PC, actually) and it worked fine. But when I tried to set it up on a hosting server, that's what I got. It would appear that the domain isn't being resolved or some similiar issue. I need auto-logon or Snitz is a total wash.
I'm thinking that something is set up different on the hosting servers than on my desktop PC. Any thoughts on what switch or option I can change to get this to work?
Thanks,
rburriel
|
|
|
BasQue
Starting Member
Netherlands
21 Posts |
Posted - 26 November 2001 : 16:56:35
|
Hi R,
I Had the same problem....
make sure you enabled NT challange (-->checked the Integrated Windows Authentication box) and put in a valid account (an account that has the appropriate rights to use Adsi on the domain such as administrator) in the anonymous boxes (or REMOVE the anonymous access....)
good luck
 |
 |
|
|
rburriel
Starting Member
2 Posts |
Posted - 27 November 2001 : 09:38:53
|
Hi BasQue,
Thank you for your swift response. I don't think that's the problem because I already had NT Challenge/Response set in the IIS security settings and did not have Anonymous Access turned on, but at least it helps me narrow down the problem. I'll keep checking the security settings and comparing them to those on the other server where Snitz does work.
Thank you,
rburriel
|
|
|
|
earlclaus
Starting Member
30 Posts |
Posted - 11 January 2002 : 12:26:38
|
How to use NT Authentication with an existing corporate NT domain
LDAP Authentication in Snitz 2000 v 3.3
NT Authentication is via LDAP and should use this path to retrieve a user object:
WinNT://YourAuthenticatingNTDomainName/UsernameToValidate
Snitz 2000 does not use this nomenclature; instead, it uses this path:
WinNT://UsernameToValidate
So, the webserver doesn't know on which NT Domain you want to validate the username on.
Resulting Errors
At one time, I did get this error:
error '80070035'
The network path was not found.
It is my opinion that the "path" in question is the LDAP path to the user as mentioned above.
Because my domain name was wrong after some work I did, I got this error in my web browser when trying to look at the forums:
Microsoft VBScript runtime error '800a01b6'
Object doesn't support this property or method: 'strNTUserInfo.Groups'
/3/inc_functions.asp, line 1265
ADSI Software Installation
Windows 2000 has ADSI/LDAP installed by default. There is nothing else that you should need to install.
NT 4.0 requires you to Install ADSI. Download it here:
http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp
Reboot.
It is possible that your database drivers are blown-up, now. This has happened to me several times in the last 3 years. Immediately, reinstall the latest version of MDAC (Microsoft Database Drivers). Reboot.
Get the latest version of MDAC here:
http://www.microsoft.com/data/download.htm
Permissions & Security
OK, now this must be carefully considered by you, your network administrator, and your CIO. It's based on how well you feel about the inherent security issues involved. If you want to use a different domain other than the webserver's domain, I believe that the webserver must join the authenticating domain. Generally, this is considered a bad idea for a webserver on the perimeter of your network with the outside world. Batten down the hatches, and make your security as tight as possible. Make sure you check the logs often for when someone cracks into your server.
Then in Windows Explorer, apply the appropriate READ permissions for users from the authenticating domain that holds the user accounts you want to have access the forums. I suggest that you have some kind of INTRANETUSERS or CUSTOMEREXTRANET user group, then just allow those groups access to the forum's website files.
Hack for Authentication on a Domain other than the Webserver
So, how do we fix this?
Manually hack in the NT Domain name into inc_functions.asp.
Find all occurrances of "WinNT://" in inc_functions.asp. There should be 2 of them in Snitz v. 3.3.
Insert the NT domain name that has the user account for the logged-in users.
'Set strNTUserInfo = GetObject("WinNT://"+strNTUser)
Set strNTUserInfo = GetObject("WinNT://InsertYourDomainNameHere/"+strNTUser)
'Set strNTUserInfo = GetObject("WinNT://"+strNTUser)
Set strNTUserInfo = GetObject("WinNT://InsertYourDomainNameHere/"+strNTUser)
Website Setup in IIS
It does not have to be the same domain that the webpages are being served from. In the IIS Management Console, make sure that you force basic logins using the domain that holds the accounts for your users.
Admin Hack in Snitz 2000 v.3.3
You will have to modify the Snitz table that holds user names and specify your user account as a Snitz Forums admin.
If you don't do this, you will lose access to admin functions. By now, you probably already did.
If this still doesn't work try hacking in an ldap function at the top of all the admin pages that checks to see if the logged in user is in the right group or the right user to be an administrator.
Proposed Change
It would be a nice addition to allow the authenticating domain to be modifiable in the configuration file, config.asp. Perhaps lines added would be:
Dim strNTAuthDomainName
strNTAuthDomainName = "Insert Your Company's Domain Name Here"
Then in inc_functions.asp, you could have this line to replace the 2 existing strNTUserInfo variable assignments:
Set strNTUserInfo = GetObject("WinNT://"+ strNTAuthDomainName +"/"+ strNTUser)
Snitz Setup
Go into the Admin Section->Feature NT Configuration of Snitz Forums and change Use NT Groups: and Use NT AutoLogon: to On. IF you hose it and want to change it back or can't get to the admin screen, edit the forum_config_new table.
Look for these variables:
strNTGroups
strAutoLogon
If set to 1, this is like setting them to On.
Making them NULL is like setting them Off.
Note: I may be wrong on some of this, but I think this sums up what I had to do. I've been hacking away at Snitz for over a year. So, I think this is accurate enough to get you going fast. Average time for this hack is about 2 hours for the unitiated. So, Go to work and make it happen. If you still can't make it work, I'm available for emergency assistance at $120 per hour service call. santa@earlclaus.com or Yahoo: earlclaus .
Disclaimer: Know what you are doing before you attempt this. Verify the above opinions with other people you know who have the skills and qualifications to do this. You are responsible for your actions. For a fee, I'll fix your problem; however, don't pin your mistakes on me.
Addendum
This modification/hack worked for me on the first try.
Earl Claus, Web Master
http://www.InternetRemoteBase.com
Edited by - earlclaus on 11 January 2002 13:46:09 |
|
|
|
Kal Corp
Average Member
USA
878 Posts |
Posted - 11 January 2002 : 17:46:27
|
I created most of this NT Stuff and i didnt even give info like that 
Nice work earlclaus!
|
|
|
|
earlclaus
Starting Member
30 Posts |
Posted - 12 January 2002 : 01:39:34
|
Thanks,
I tell you ...
Dave McKenna in Jr. College did his best to teach me accounting, and all I really learned was how to format a document ... Really well.
Earl Claus, Web Master
http://www.InternetRemoteBase.com
|
|
|
|
Aquamarijn
Starting Member
Netherlands
39 Posts |
Posted - 14 January 2002 : 14:46:35
|
Earl could you help me with this:
I changed as you advised the getobject string so I could use domain authentication. But I've got some strange beheviour. What I did so far:
I use W2K Server with IIS 5.0 & AD installed. Snitz Forums 3.303 with SQL Server 7. I can manage the server myself by using VPN Terminal Services. I've set "Basic Athentication (password sent in clear text)" in IIS by using the default domain wich is configured with AD. I made some users and groups with AD Users and Computers. When a user logon with Administrator rights he/she can logon to the forum from the internet but when it's a member without administrator rights it can't logon. They get a HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services Error.
When I logon as a normal user with Administrator rights once AFter the first time I doný need any Administrator rights. So it's only the first time they logon that they need admininistrator rights. How Come... What Am I doing wrong here???
It worked with NTLM instead of Basic but then people from behind a proxy server couldn't logon. So I changed the inc_functions and config.asp as you said. Works great so far for Administrators.
Authentication must work from behind a proxy server.
Regards Randy
Edited by - Aquamarijn on 14 January 2002 15:05:20
Edited by - Aquamarijn on 14 January 2002 15:19:33 |
|
|
|
earlclaus
Starting Member
30 Posts |
Posted - 14 January 2002 : 23:44:59
|
First, I want to apologize to all here. I am not the moderator of this forum. I've been in and out of these forums for about a year. It just felt right to give back a little to the Snitz Community for the good vibes Snitz brought me in this time. Good product ... Excellent community support ... An all-around good deal.
My comments are in green ...
quote:
Earl could you help me with this:
I changed as you advised the getobject string so I could use domain authentication. But I've got some strange beheviour. What I did so far:
I use W2K Server with IIS 5.0 & AD installed. Snitz Forums 3.303 with SQL Server 7. I can manage the server myself by using VPN Terminal Services.
Keep up with the patches, my friend. I heard there were some nasties out there that target terminal services's weaknesses.
I've set "Basic Athentication (password sent in clear text)" in IIS by using the default domain wich is configured with AD. I made some users and groups with AD Users and Computers. When a user logon with Administrator rights he/she can logon to the forum from the internet but when it's a member without administrator rights it can't logon. They get a HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services Error.
This is an obvious permissions issue. Check that these users belong to a single group, such as EXTRANETUSERS or something like that. AND, that the user belongs to the USERS or DOMAIN USERS group (or something like that). Then make sure that this group has read permissions to the entire forums directory and files, with windows explorer. Go back to each of the admin files and change their permissions to allow only administrator permissions. IIS5 should be good about recognizing your new permissions changes in Win2K.
I had this same error happen today in NT4/IIS4 to a single user. And, I couldn't find the solution. So, I blew away the user's account and created a new one. Magically, it worked. Go figure.
When I logon as a normal user with Administrator rights once AFter the first time I doný need any Administrator rights.
This is a very good symptom that your users lack read permissions to some files in the forum's file directory.
So it's only the first time they logon that they need admininistrator rights. How Come... What Am I doing wrong here???
If your user logs in as an administrator for the first time because you made that user a member of the administrator's group, then obviously that user had full permissions to all the files used by Snitz forums. Then, if you change the user's rights from administrator to regular user or domain user (or something like that) and the user is able to move around, then it sounds like the user didn't have permissions to read one of the files used in the "first-time an authorized user visit's the forums" process. Check your permissions on forums files, as mentioned above.
It worked with NTLM instead of Basic but then people from behind a proxy server couldn't logon. So I changed the inc_functions and config.asp as you said. Works great so far for Administrators.
Authentication must work from behind a proxy server.
Hmmm. Don't know nuttin' about Proxy Server. Your input on this would be a welcome addition to the NT Howto. Check the value that's stored in strNTUser. I wonder if the domainame is being passed under varying user-access conditions into strNTUser in inc_functions.asp. I wonder if the Proxy Server is acting as a client to the webserver and passing user login credentials differently than an external user.
Regards Randy
<snip>
Earl Claus, Web Master
http://www.InternetRemoteBase.com
|
|
|
|
Aquamarijn
Starting Member
Netherlands
39 Posts |
Posted - 15 January 2002 : 14:34:05
|
Earl
Thnx for helping so far.. I did some more research. This is what I foun and tried yet:
I made a new user called testuser and a new Global group(tested it also with Local Group) called testgroup. I set for the website docs directory the Global group all NTFS Rights except from Full Control. Still it won't work. But I looked to the event viewer and saw this error message in the system log:
The server was unable to logon the Windows NT account 'testuser' due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
The data is the error code.
There must be a special right so that people can logon to the domain. I can't find wich one. (It sounds like that they must have rights for MS-CHAP or PAP.... strange really.... I'm not that good with W2K. I'm trying to learn it myself...)
About Terminal Services. I setup a VPN. I can only use terminal Services when I'm authenticated by the VPN connection (L2TP). The rest is filterd by the firewall... I thought it would be secure enough for the time being.
|
|
|
|
earlclaus
Starting Member
30 Posts |
Posted - 15 January 2002 : 19:11:23
|
Wow. You got me on this one. Hmmm. Let me think about this ...
Do you think it might require the user to have local logon priv's? That's scary.
Earl Claus, Web Master
http://www.InternetRemoteBase.com
Edited by - earlclaus on 15 January 2002 19:12:57 |
|
|
|
Aquamarijn
Starting Member
Netherlands
39 Posts |
Posted - 23 January 2002 : 15:36:09
|
Earl,
I found it. I had to make a group e.g. forumusers and add Log On Locally Domain rights:
Start
Programs
Administrative Tools
Domain Controller security Policy
Local Policies
User Rights assignment
Log On Locally
Keep in mind that Domain policies will overrule Local policies.
Regards Randy
|
|
|
|
earlclaus
Starting Member
30 Posts |
Posted - 23 January 2002 : 23:46:43
|
Great!
Be careful with logon locally. Make sure that you have replaced the EVERYONE has FULL CONTROL default Microsoft permissions crap with permissions that are more restrictive. I've found that giving specific groups permissions to what they need to use helps. Such as giving Administrators and SYSTEM groups Full Control to everything and giving custom user groups Read/execute permissions to specific web site file directories.
If you have added ODBC drivers, make sure your appropriate groups have persmission to read those directories or files.
I am very glad that you found a solution!
Earl Claus, Web Master
http://www.InternetRemoteBase.com
|
|
|
|
cimedaca
Starting Member
0 Posts |
Posted - 07 March 2002 : 12:54:34
|
Thanks for the info on appending the Domain. I thought I would share our solution for a multiple domain system with BASIC authentication. The problem with the solution above on a multiple domain systems is there is no way to login to the board if you are on another domain.
The following added code in red seems to be working well for us. Since Jetsons is our default domain we only append it when a "/" is detected. If a slash is detected the user already entered the domain so don't append one. In this way users on the default domain can login using only username and password. Users on other domains still have to use DOMAIN/username to be authenticated.
sub NTAuthenticate()
dim strUser, strNTUser, checkNT
strNTUser = Request.ServerVariables("AUTH_USER")
strNTUser = replace(strNTUser, "\", "/")
if instr(strNTUser,"/") = 0 then
strNTUser = "Jetsons/" & strNTUser
end if
if Session(strCookieURL & "userid") = "" then
strUser = Mid(strNTUser,(instr(1,strNTUser,"/")+1),len(strNTUser))
Session(strCookieURL & "userid") = strUser
end if
Thanks!
|
|
|
| |
Topic |
|
Topic Locked
