Web Wiz Support and Community Forums : Playing with NT authentication and AD

Playing with NT authentication and AD : Just tried out that change, and...

Fri, 27 Oct 2006 18:08:00 +0000

Author: synistyr
Subject: 20557
Posted: 27 October 2006 at 6:08pm

Just tried out that change, and it seems to be working great!

Many thanks!

Playing with NT authentication and AD : Lonissa in the first post had...

Tue, 19 Sep 2006 17:10:11 +0000

Author: Jono
Subject: 20557
Posted: 19 September 2006 at 5:10pm

Lonissa in the first post had a requirement for not displaying the Student�s number (which was their logon ID [SAMaccountName]). The following code modified from version 8.04 should utilise the �FullName� attribute from the WinNT provider. It works on my test network, which isn�t particularly hardened. Watch out for line wrap!

I�ve also got some idea�s on utilising Active Directory to populate other information such as email address and then running a script to ensure that information in the two databases are synchronised (i.e. people deleted from AD can be disabled/removed from the Forum and will sync name changes/email addresses, etc.) � this would require an account on AD as IIS6 (Win2003) is more secure than 5.1 (win2000).

Issue: When Active Directory integration is enabled, the user�s SAMaccountName is displayed� this makes it difficult to identify the user.

Solution: This can be changed by modifying the code in �functions_windows_authentication.asp� starting at line 137 from:

'Use the last part of the windows authentication (bit without domain) as the forum username

If InStrRev(strAuthenticatedUser, "\") = 0 Then

strUserName = strAuthenticatedUser

Else

strUserName = Mid(strAuthenticatedUser, InStrRev(strAuthenticatedUser, "\")+1, Len(strAuthenticatedUser))

End If

To:

'* This change utilises the WINNT provider to obtain the user's "FullName" rather than SAMaccountName

'* NOTE: Variable declarations are within the modified to contain all changes

'Set error trapping

On Error Resume Next

'Declare the object to hold user information

Dim objUser

'Bind to the object - we need to swap \ with / for binding

Set objUser = GetObject("WinNT://" & replace(strAuthenticatedUser,"\","/"))

'If an error has occured while binding, use SAMaccountName

If Err.Number <> 0 Then

'Use the last part of the windows authentication (bit without domain) as the forum username

If InStrRev(strAuthenticatedUser, "\") = 0 Then

strUserName = strAuthenticatedUser

Else

strUserName = Mid(strAuthenticatedUser, InStrRev(strAuthenticatedUser, "\")+1, Len(strAuthenticatedUser))

dpyers
Subject: 20557
Posted: 11 July 2006 at 6:07pm

looks like the code got trimmed.
this should have been on the bottom og f it

Select Case VarType(CurrentUser.MemberOf)
    Case 8
strGroups = LCase(CurrentUser.MemberOf)
    Case 8204
        strGroups = LCase(Join(CurrentUser.MemberOf))
End Select

Response.Write strGroups

Playing with NT authentication and AD : I hate to tell you this, but the...

Tue, 11 Jul 2006 14:05:16 +0000

Author: Lonissa
Subject: 20557
Posted: 11 July 2006 at 2:05pm

I hate to tell you this, but the Windows Scripting Host network object has nothing to do with active directory. In fact, we used this in our logon scripts back in an NT 4 environment.

Your code is simply reading the username and computer name from the network object, you can't use that to find out what AD group someone belongs to.

Here is the code I'm using to connect to AD:

Set strConn = Server.CreateObject("ADODB.Connection")
strConn.provider ="ADsDSOObject"
strConn.Properties("User ID") = "username"
strConn.Properties("Password") = "password"
strConn.open "Active Directory Provider"

strSQL = "SELECT displayname, mail, telephonenumber, title, department FROM 'GC://OU=Staff,OU=People,DC=domain,DC=com' WHERE name ='" & strAuthenticatedUser & "'"

Playing with NT authentication and AD : I ran across this code today...

Tue, 11 Jul 2006 03:41:20 +0000

Author: dpyers
Subject: 20557
Posted: 11 July 2006 at 3:41am

I ran across this code today for determining what AD groups someone belongs to


Dim COURTHOUSE, WshNetwork, existingDrives, ADSysInfo, CurrentUser, 
UserName, ComputerName
Dim strGroups, oGroup,x

Set WshNetwork = CreateObject("WScript.Network")

Set existingDrives = WshNetwork.EnumNetworkDrives

Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write ADSysInfo.UserName & "

"
Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)    

UserName = LCase(wshNetwork.UserName)

ComputerName = LCase(WshNetwork.ComputerName)

Response.Write UserName & " " & ComputerName

Edited by dpyers - 11 July 2006 at 3:42am

Playing with NT authentication and AD : Hmm, I don't want all my...

Thu, 06 Jul 2006 15:45:36 +0000

Author: Lonissa
Subject: 20557
Posted: 06 July 2006 at 3:45pm

Hmm, I don't want all my users to be moderators. I've made some users administrators and moderators by changing the group_id field in tblAuthor.

The problem is, only the default Admin account can get to the admin control panel (but not change member profile settings) and only the users I've set to admins/moderators are able to change member profiles (but not access the admin control panel).

I think what I'll have to do is bypass the admin login for the control panel, and have it simply check if the group_id is 1 to allow them in...

Playing with NT authentication and AD : Lonissa, I'm having the same...

Thu, 06 Jul 2006 14:56:24 +0000

Author: kastigeer
Subject: 20557
Posted: 06 July 2006 at 2:56pm

Lonissa, I'm having the same issue as you and am also keen to get this working - I've managed to get AD users in the moderators group (by making this the default selected group) and this should do most of what we want...

There appear to be two issues at the moment - the reverting to the AD autologon user when trying to use admin functions (as you have already mentioned) as well as the system appears to not recognise the group that an AD user is in when the logon (at least I suspect...) - even though I can logon with an AD user who is in the moderators group (it shows this in the Members admin area) they don't have moderators permissions (checking the blnModerator field and it shows as false)

I hope we can get something working here as this is the best looking forum I have found (and I've done a lot of looking!) and would like to support the development.

Barry

Playing with NT authentication and AD : I have been using admin.asp...

Thu, 06 Jul 2006 12:42:48 +0000

Author: Lonissa
Subject: 20557
Posted: 06 July 2006 at 12:42pm

I have been using admin.asp to log in. Sometimes I'm able to enter the Administrator username, sometimes it autopopulates the username field with the authenticated username.

When I am able to log in as administrator, I can't change any member profile information, the Administrator and Moderator functions is missing (I think opening a new window causes it to revert back to the logged in user, not administrator).

I'll play around with AUTH_PASSWORD today and let you know the results. I may have to pull the password from AD instead, but I don't really like that idea.

Thanks for your quick replies :)

Edit: When I make a windows authenticated user an admin and try to log in to the admin control panel, it changes the user_code field for some reason (from domain/user format to userxxxxx). Then I get an error because it tries to re-add the domain/user that doesn't exist in the DB and it won't create a duplicate.

From what I've read, AUTH_PASSWORD only has a value if you've enabled Basic Authentication (password is sent in clear text). I'd rather not go that route, but now that I think of it, having no password is probably best when we get users changing passwords in NT, otherwise I'd have to find some way to update the password in the DB every time they change their password.

Edited by Lonissa - 06 July 2006 at 2:37pm

Playing with NT authentication and AD : 1. To login as the forum admin...

Thu, 06 Jul 2006 09:43:06 +0000

Author: WebWiz-Bruce
Subject: 20557
Posted: 06 July 2006 at 9:43am

1. To login as the forum admin navigate directly to the file admin.asp, the login as the forum administrator

2. AUTH_PASSWORD should get the password, if not it maybe that your AD system is setup slightly different and you may need to find an alternative way to get the password.

Playing with NT authentication and AD : First off, I'd like to say...

Wed, 05 Jul 2006 20:48:42 +0000

Author: Lonissa
Subject: 20557
Posted: 05 July 2006 at 8:48pm

First off, I'd like to say that I love this forum software. To be able to modify it however we need to is a big bonus for us.

I work in a community college, and we have a rule that student numbers cannot be viewed by the public.

This created a bit of a problem for me using NT authentication, since users log in with their student number, but we'd like the author display to use their real name.

What I've done is added some code to functions_windows_authentication.asp that gets the user's real name and email address from Active Directory and inserts that into the Real_name and Author_Email fields.

I plan on going through and replacing all instances of displayed usernames with real_name instead.

The problems I've had so far are:

1) how do you log in as administrator with NT authentication enabled? I've changed a test user in the database to admin manually to get around it.

2) the AUTH_PASSWORD server variable doesn't seem to hold the password. I can remove passwords from the DB altogether and not have problems, but can't log in to the admin control panel, I get an incorrect password error.

Any ideas how I can get around this?

Thanks!