Double Hop Issue? Tough problem...(For me)

Discussion in 'ASP General' started by Anthony, Aug 18, 2004.

  1. Anthony

    Anthony Guest

    I am trying to get a users DN by translating the LOGON_USER NT4 format
    variable. I am ONLY using windows authentication for security settings:
    This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
    down.. feel free to paste the code for your own testing.. it works:

    ----------------- begin paste-- -----------
    <%
    ' logon_user will be in DOMAIN\LANID format (NT4 Format)
    logonuser = Request.ServerVariables("LOGON_USER")

    'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM
    sUserDN = getdn(logonuser)
    response.write sUserDN

    ' and getdn function looks like the following

    public function getDN(NT4Name)
    ' NT4Name DOMAIN\LANID format (NT4 Format)
    ' Function returns DN from NT4 Name

    ' Gets the users DN from the DOMAIN/NT Name

    sDC = "DC01"

    const ADS_NAME_INITTYPE_DOMAIN = 1
    const ADS_NAME_INITTYPE_SERVER = 2
    const ADS_NAME_INITTYPE_GC = 3

    const ADS_NAME_TYPE_1779 = 1
    const ADS_NAME_TYPE_NT4 = 3

    Set nto = CreateObject("NameTranslate")
    'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
    nto.Init ADS_NAME_INITTYPE_SERVER, sDC
    nto.Set ADS_NAME_TYPE_NT4, NT4Name
    sUserDN = nto.Get(ADS_NAME_TYPE_1779)

    getDN = sUserDN
    end function
    %>

    -------------- end paste -----

    The error I am getting is the following.. :

    error '80090332'
    The security context could not be established due to a failure in the
    requested quality of service (e.g. mutual authentication or delegation).

    -----------

    If I am on a Windows 2000 Domain member or higher this works fine.. (I
    understand it works when Kerberos Authentication is ok) I have trusted the
    IIS server for kerberos authentication so it's working fine provided
    Kerberos Authentication is good...

    The problem is IF the authentication drops down to NTLM (When using NT4 or a
    non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
    the above error.. anyway around this??

    So, Is there anyway to get a userDN another way? I know my problem is the
    local IUSR_Machinename account doesn't have access to the LDAP directory...
    so I was hoping to pass credentials through to the DC.

    Are there other ways to accomplish this task? Once the DN is known I need
    to check their group memberships to determine if they have access to a
    particular function within an .asp so I'd have to connect to the ldap
    provider multiple times.. not just this once..

    Lastly, if there is no way to allow for this to work with the above code
    snip.. can I at least trap that error to display "Kerberos not working"
    instead of that ugly mess for users? I can't seem to trap that error...

    Any help would be much appreciated.. Thank you
    Anthony, Aug 18, 2004
    #1
    1. Advertising

  2. Anthony

    Anthony Guest

    Is there another group I should post this in?

    thanks..

    "Anthony" <> wrote in message news:<>...
    > I am trying to get a users DN by translating the LOGON_USER NT4 format
    > variable. I am ONLY using windows authentication for security settings:
    > This is a Windows 2000 IIS 5 Server. Here is the .asp that I've stripped
    > down.. feel free to paste the code for your own testing.. it works:
    >
    > ----------------- begin paste-- -----------
    > <%
    > ' logon_user will be in DOMAIN\LANID format (NT4 Format)
    > logonuser = Request.ServerVariables("LOGON_USER")
    >
    > 'sUser DN will be in CN=JOEUSER,CN=Users,DC=DOMAIN,DC=MYCORP,DC=COM
    > sUserDN = getdn(logonuser)
    > response.write sUserDN
    >
    > ' and getdn function looks like the following
    >
    > public function getDN(NT4Name)
    > ' NT4Name DOMAIN\LANID format (NT4 Format)
    > ' Function returns DN from NT4 Name
    >
    > ' Gets the users DN from the DOMAIN/NT Name
    >
    > sDC = "DC01"
    >
    > const ADS_NAME_INITTYPE_DOMAIN = 1
    > const ADS_NAME_INITTYPE_SERVER = 2
    > const ADS_NAME_INITTYPE_GC = 3
    >
    > const ADS_NAME_TYPE_1779 = 1
    > const ADS_NAME_TYPE_NT4 = 3
    >
    > Set nto = CreateObject("NameTranslate")
    > 'nto.InitEx ADS_NAME_INITTYPE_SERVER, sDC, sAdmin, sDomain, sAdmPwd
    > nto.Init ADS_NAME_INITTYPE_SERVER, sDC
    > nto.Set ADS_NAME_TYPE_NT4, NT4Name
    > sUserDN = nto.Get(ADS_NAME_TYPE_1779)
    >
    > getDN = sUserDN
    > end function
    > %>
    >
    > -------------- end paste -----
    >
    > The error I am getting is the following.. :
    >
    > error '80090332'
    > The security context could not be established due to a failure in the
    > requested quality of service (e.g. mutual authentication or delegation).
    >
    > -----------
    >
    > If I am on a Windows 2000 Domain member or higher this works fine.. (I
    > understand it works when Kerberos Authentication is ok) I have trusted the
    > IIS server for kerberos authentication so it's working fine provided
    > Kerberos Authentication is good...
    >
    > The problem is IF the authentication drops down to NTLM (When using NT4 or a
    > non-domain member client (VPN'ed in ..etc..)) this is really when it dumps
    > the above error.. anyway around this??
    >
    > So, Is there anyway to get a userDN another way? I know my problem is the
    > local IUSR_Machinename account doesn't have access to the LDAP directory...
    > so I was hoping to pass credentials through to the DC.
    >
    > Are there other ways to accomplish this task? Once the DN is known I need
    > to check their group memberships to determine if they have access to a
    > particular function within an .asp so I'd have to connect to the ldap
    > provider multiple times.. not just this once..
    >
    > Lastly, if there is no way to allow for this to work with the above code
    > snip.. can I at least trap that error to display "Kerberos not working"
    > instead of that ugly mess for users? I can't seem to trap that error...
    >
    > Any help would be much appreciated.. Thank you
    Anthony, Aug 18, 2004
    #2
    1. Advertising

  3. Anthony

    Guest

    Hi Anthony,
    did you get your problem solved ? I am having the same problem. Thanks.

    **********************************************************************
    Sent via Fuzzy Software @ http://www.fuzzysoftware.com/
    Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...
    , Sep 13, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ken Schaefer

    Re: Windows Auth -- double hop issue??

    Ken Schaefer, Apr 7, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    3,047
    Ken Schaefer
    Apr 7, 2004
  2. =?Utf-8?B?Q2h1Y2sgSGFlYmVybGU=?=

    classic IE -> IIS -> SQL Double hop issue - Help needed resolving

    =?Utf-8?B?Q2h1Y2sgSGFlYmVybGU=?=, Oct 14, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    3,157
    Bruce Barker
    Oct 15, 2005
  3. kellygreer1

    Double Hop Network Issue

    kellygreer1, Nov 19, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    360
    kellygreer1
    Nov 20, 2007
  4. double hop issue? Not sure anymore

    , Jan 25, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    153
  5. Christer

    The double hop web service security issue...

    Christer, Oct 10, 2003, in forum: ASP .Net Web Services
    Replies:
    2
    Views:
    118
    richlm
    Oct 11, 2003
Loading...

Share This Page