Reputation: 4577
Authenticating user via active directory groups in classic ASP
We have security set up for an intranet site as follows through active directory.
First we have security groups by department (sales, accounting, etc.)
Second we have an AD security group for the intranet site where people logon via NT challenge/response. For this purpose let's call that group "Intranet Users"
Under Intranet Users, I've added the departments that are allowed to use the intranet.
So in AD you have Intranet Users and the members of the group are Sales and Accounting.
What I need to do in classic ASP is authenticate a user against the groups under Intranet Users.
I dug up some old code I used elsewhere but I can't get it to work and unless my Google-fu of this topic is just terrible (a distinct possibility) I can't find proper documentation of doing this in classic ASP.
This code will get the group but will only enumerate the objects within it if it's a user, not a group.
bAuthUser = False
Set objGroup = GetObject("WinNT://DOMAIN/Intranet Users")
For Each objMember In objGroup.Members
If objMember.Class = "User" Then
If objMember.Name = Request.ServerVariables("AUTH_USER") Then bAuthUser = True
End If
Next
The above code works if there is an actual user in the security group but there are no users in the group, just other security groups.
What I need to do is loop through the groups in "Intranet Users" then through the users in each group to authenticate.
Am I on the right track here or totally off?
Thanks in advance.
Upvotes: 1
Views: 5506
Answers (2)
Reputation: 731
You can look up objects based on their LDAP path, although I haven't done this in ASP before this article looks like a good starting point as is this question.
Upvotes: 1
Reputation: 1626
This depends on the functionality you are looking for.
If the goal is "everyone can access this site, but if they are in Intranet Users, they get this extra functionality" then the path you are on is correct.
If you just want to be able to say "Only Intranet Users can access my site" there's an undocumented feature of IIS you can leverage. If you go into the folder security options, and remove the generic accounts from the ACL and add the Intranet Users group to the ACL, IIS will throw a 403 exception if the user authenticated is not in Intranet Users.
Upvotes: 1
Related Questions
- How to do authentication using active directory group in asp.net?
- Adding User to AD Group in VB.Net (2008)
- Classic ASP Authenticate Against Active Directory
- Querying Active Directory using VBScript
- How to add a Domain Account user into a Local Group?
- Authenticating against Active Directory Group
- How can I find a user's group using AD authentication in aspx?
- Active Directory authentication
- How to find out if a currently logged in user belongs to a specific security group in classic asp
- Active Directory User Group Membership