| Author |
 Topic  |
|
|
Greg Bowman
Starting Member
USA
30 Posts |
 Posted - 23 July 2003 : 17:09:50
|
Hi
wanted to share what I know so far about this topic.
We have been using NT authentication for 2 years at our company. Everything worked fine. We particularly use the NT groups to restrict certain forums.
We just began consolidating all our various domains onto a single domain using the new 2003 Server Active Directory domain controller. And that's when we found that all members of this new domain could no longer access the forums.
The error we get (only for this domain):
quote:
Technical Information (for support personnel)
Error Type:
(0x80004005)
Unspecified error
/inc_functions.asp, line 1399
Browser Type:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Page:
GET /Default.asp
Time:
Wednesday, July 23, 2003, 1:48:11 PM
More information:
Microsoft Support
We got a lot of information from this KB article on Microsoft.com: http://support.microsoft.com/default.aspx?scid=kb;en-us;278836
Clearly the new Active Directory does not support NT Challenge in conjunction with GetObject. The only way to fix this is to Switch off NT Challenge in the IIS Directory Security tab and use Basic Authentication (password sent in cleartext). And also set the anonymous read registry setting - which you need to do anyway.
When we configured for clear text we got no more errors for the new domain based on the new 2003 Active Directory server. The downside is now all users must enter their Domain\username and password. Even if the browser is set to trust the Forum website. The password challenge is due to the new clear text authentication that we are forced to use in IIS.
We are looking at 2 options:
1. Put an additional domain controller on the forum IIS server. This will mean we can use NT challenge because we don't need to make 2 hops (see the microsoft article to explain this).
2. We figure out some other way to get the Domain controller to send us the information we need.
(3. We live with having to type in our passwords all the time - not nice).
That is where we are so far. If anyone else has any experiences to share then please post them...
thx
Greg |
Edited by - Greg Bowman on 23 July 2003 17:15:13 |
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 23 July 2003 : 17:21:51
|
#2. You could try using LDAP rather than WinNT. Not sure if it would make a difference.
I'll try to test this later with Snitz. Any app that I use requiring authentication I usually force the username/password entry anyhow for security reasons. |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
 |
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 23 July 2003 : 19:37:08
|
| Also, what if you pass valid credentials to the domain controller when grabbing that info using the OpenDSObject method? That certainly should solve the problem. The KB article doesn't mention using that, but I would think it would work. |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
Greg Bowman
Starting Member
USA
30 Posts |
Posted - 23 July 2003 : 21:32:48
|
Sounds interesting. You mean passing credentials in the script that makes the GetObject WINNT call ?
If you have some clues how to do this I'd be grateful - otherwise I'll figure it out - if it can be done.
many thanks
Greg |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 23 July 2003 : 21:46:09
|
Off the top of my head though, it is something like
Set ds = GetObject("WinNT")
Set myGroup = ds.OpenDSObject("WinNT://DOMAIN/GROUPNAME,group","USERNAME","PASSWORD",0)
fill in the stuff in all caps. The username could be any domain username that has the rights to look up group members, which should be any valid domain member. You could make a special domain user account to use for this so that you don't have to use an administrator username or any other user name where you would be risking the security of that account. |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
Greg Bowman
Starting Member
USA
30 Posts |
Posted - 23 July 2003 : 22:45:01
|
Thanks.
Getting syntax errors. I'll try to fiddle around and get the exact syntax. |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
|
|
Greg Bowman
Starting Member
USA
30 Posts |
Posted - 25 July 2003 : 15:36:49
|
quote:
Originally posted by Nikkol
you might try a colon on the end of WinNT in the first line
Nikol thanks for the info. I figured out the syntax but it did not help. The new Active Directory service on Server 2003 will not pass any information when IIS is set to NT Challenge. The only way to make this work is to set IIS to Clear Text. When you do this, leave the domain blank. Users must type in their <domain>/<username> and <password>. Although not typing in the domain is not necessary for access, the calls to active directory will fail without it.
In the spirit of sharing what I learned about geting information from domain controllers, I enclose some of my tests. With Clear Text set on IIS they all work fine. (You can use NT Challenge with the old WINNT Domain controllers). Also these scripts can be run as VB Scripts from the desktop if you like.
1. This is what is currently in inc_functions. It gets the username from the server (AUTH_USER) and sends it to the domain controller to return the full username. No changes here.
<%
strNTUser = Request.ServerVariables("AUTH_USER")
strNTUser = replace(strNTUser, "\", "/")
set objcomputer = GetObject("WinNT://"+strNTUser)
response.write (objcomputer.FullName)
%>
2. Nickols suggestion. Logon to the domain server using a defined user logon, instead of the credentials of whomever is browsing the web. Useful if you want to restrict reads on the domain controller to just one user ID.
<%
Set dso = GetObject("WinNT:")
Set domain = dso.OpenDSObject("WinNT://my_domain/my_username","my_username","my_password",ADS_SECURE_AUTHENTICATION)
response.write (domain.FullName)
%>
3. Reading the fullname from the LDAP container instead of WINNT. You can get a lot more information using LDAP but you need to know the schema. To learn the schema is easy, load "ADSI edit" ("adsiedit.msc")from SUPPORT TOOLS on the Server 2003 disk . This useful tool will show you the schema and what objects are available for each user (i.e. phone/fax etc, and will show you what IT has decided to populate).
<%
set objcomputer = GetObject("LDAP://CN=my_username,OU=New Jersey,OU=All Users,DC=my_domain,DC=COM")
response.write (objcomputer.displayName)
%>
The syntax for all 3 examples has been tested. Just fill in your own information. I hope this helps someone.
Greg |
Edited by - Greg Bowman on 25 July 2003 15:51:32 |
|
|
|
Nikkol
Forum Moderator
USA
6907 Posts |
Posted - 25 July 2003 : 17:11:15
|
| But the point is you can't use Windows Integrated Authentication? Kinda sucks. You might look at getting an SSL certificate if you are going to keep it with Basic Authentication. |
Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~ |
|
|
|
Greg Bowman
Starting Member
USA
30 Posts |
Posted - 29 July 2003 : 12:44:25
|
This is true. You can no longer authenticate with Active directory with Server 2003 unless you switch from NT challenge to Basic Clear text. And as you say, you should probably use SSL when sending clear text. And don't forget to set the registry setting in Server 2003 that permits Anonymous reads on the Active Directory schema.
(article on Microsoft.com: http://support.microsoft.com/default.aspx?scid=kb;en-us;278836)
Fortunately, we only use this exclusively within the fire wall and there is nothing too critical in the forum - so I won't bother with SSL. But you are right - its a potential security risk now.
After all this - I got annoyed with having to type in the domain/username and password everytime to logon. So I disabled all the WINNT calls in the forum. I still use Autologon but just use the "username" which is given to me by IIS as the full name. I don't get any NT group information (so no secret forums based on NT groups). So I have almost everything I want.
Advantage:
Autologon (nobody has to logon)
No prompts
No calls to any domain servers (Faster access - no slow WINNT or LDAP calls)
Disadvantage:
Can't see the nice full name on posts (just see username)
Can't use NT groups
Here is the whole function from inc_functions.asp
sub NTAuthenticate()
dim strUser, strNTUser, checkNT
strNTUser = Request.ServerVariables("AUTH_USER")
strNTUser = replace(strNTUser, "\", "/")
if Session(strCookieURL & "userid") = "" then
strUser = Mid(strNTUser,(instr(1,strNTUser,"/")+1),len(strNTUser))
Session(strCookieURL & "userid") = strUser
end if
if strNTGroups="1" then
strNTGroupsSTR = Session(strCookieURL & "strNTGroupsSTR")
if Session(strCookieURL & "strNTGroupsSTR") = "" then
Set strNTUserInfo = GetObject("WinNT://"+strNTUser)
For Each strNTUserInfoGroup in strNTUserInfo.Groups
strNTGroupsSTR=strNTGroupsSTR+", "+strNTUserInfoGroup.name
NEXT
Session(strCookieURL & "strNTGroupsSTR") = strNTGroupsSTR
end if
end if
if strAutoLogon="1" then
strNTUserFullName = Session(strCookieURL & "strNTUserFullName")
if Session(strCookieURL & "strNTUserFullName") = "" then
'''Don't do domain server calls to get the full name anymore - just use the username
''' Set strNTUserInfo = GetObject("WinNT://"+strNTUser)
''' strNTUserFullName=strNTUserInfo.FullName
''' Make the Full name = username (got from IIS variable at start of function)
strNTUserFullName=strUser
Session(strCookieURL & "strNTUserFullName") = strNTUserFullName
end if
end if
end sub
FYI - here are my NT settings:
Use NT Groups: Off
Use NT AutoLogon: On
Greg. |
Edited by - Greg Bowman on 29 July 2003 13:14:36 |
|
|
|
Kal Corp
Average Member
USA
878 Posts |
Posted - 23 August 2003 : 09:57:06
|
Been along time since I created the NT groups code.
I believe I am in the same boat with it comes to some of these issues. I am starting to see users not be able to connect to my forums. I will be looking at this also.
I will post anything that I find.
I think i got LDAP working getting the information from exchange, maybe I will try that first.
Thanks Greg!
|
{VAS}-Kal Corp
VAS Development NetWork - Forums for old Snitz Mods!
Creator of all things {VAS}
|
Edited by - Kal Corp on 23 August 2003 10:04:33 |
|
|
| |
Topic |
|
Topic Locked
