Playing with NT authentication and AD

First off, I'd like to say that I love this forum software.  To be able to modify it however we need to is a big bonus for us.

I work in a community college, and we have a rule that student numbers cannot be viewed by the public.

This created a bit of a problem for me using NT authentication, since users log in with their student number, but we'd like the author display to use their real name.

What I've done is added some code to functions_windows_authentication.asp that gets the user's real name and email address from Active Directory and inserts that into the Real_name and Author_Email fields.

I plan on going through and replacing all instances of displayed usernames with real_name instead.

The problems I've had so far are:

1)  how do you log in as administrator with NT authentication enabled?  I've changed a test user in the database to admin manually to get around it.

2)  the AUTH_PASSWORD server variable doesn't seem to hold the password.  I can remove passwords from the DB altogether and not have problems, but can't log in to the admin control panel, I get an incorrect password error.

Any ideas how I can get around this?

Thanks!

I have been using admin.asp to log in.  Sometimes I'm able to enter the Administrator username, sometimes it autopopulates the username field with the authenticated username.

When I am able to log in as administrator, I can't change any member profile information, the Administrator and Moderator functions is missing (I think opening a new window causes it to revert back to the logged in user, not administrator).

I'll play around with AUTH_PASSWORD today and let you know the results.  I  may have to pull the password from AD instead, but I don't really like that idea.

Thanks for your quick replies :)

Edit: When I make a windows authenticated user an admin and try to log in to the admin control panel, it changes the user_code field for some reason (from domain/user format to userxxxxx).  Then I get an error because it tries to re-add the domain/user that doesn't exist in the DB and it won't create a duplicate.

From what I've read, AUTH_PASSWORD only has a value if you've enabled Basic Authentication (password is sent in clear text).  I'd rather not go that route, but now that I think of it, having no password is probably best when we get users changing passwords in NT, otherwise I'd have to find some way to update the password in the DB every time they change their password.


Edited by Lonissa - 06 July 2006 at 2:37pm

Hmm, I don't want all my users to be moderators.  I've made some users administrators and moderators by changing the group_id field in tblAuthor.

The problem is, only the default Admin account can get to the admin control panel (but not change member profile settings) and only the users I've set to admins/moderators are able to change member profiles (but not access the admin control panel).

I think what I'll have to do is bypass the admin login for the control panel, and have it simply check if the group_id is 1 to allow them in...

I hate to tell you this, but the Windows Scripting Host network object has nothing to do with active directory.  In fact, we used this in our logon scripts back in an NT 4 environment.

Your code is simply reading the username and computer name from the network object, you can't use that to find out what AD group someone belongs to.

Here is the code I'm using to connect to AD:

Set strConn = Server.CreateObject("ADODB.Connection") strConn.provider ="ADsDSOObject" strConn.Properties("User ID") = "username" strConn.Properties("Password") = "password" strConn.open "Active Directory Provider" strSQL = "SELECT displayname, mail, telephonenumber, title, department FROM 'GC://OU=Staff,OU=People,DC=domain,DC=com' WHERE name ='" & strAuthenticatedUser & "'"