5

I have a Classic ASP website (sorry!). Some parts of it need to be NT authentication enabled.

I would ideally like to present the user with a nice login form (rather than a browser prompt) which I then authenticate against AD and then do the usual "log in if success, show error if failure"

Is this even possible? I've tried the following on a local computer but not sure how to properly test for success or if it even expands to searching against AD

<html>
<head>
</head>
<body>
    <form action="test.asp" method="post">
        Username:
        <input type="text" name="strUserName"><br>
        Password:
        <input type="password" name="strPassword"><br>
        <input type="submit" name="btnSubmit">
    </form>
    <%
    If Request.Form("strUsername") <> "" Then
        Dim strADsPath
        strADsPath = "WinNT://ARIA"
        strUserName = Request.Form("strUserName")
        strPassword = Request.Form("strPassword")

        'Set adObject = GetObject("WinNT:")
        'Set userObject = adObject.OpenDSObject("WinNT://" & domainName, userName, password, ADS_SECURE_AUTHENTICATION)


        if (not strADsPath= "") then
            Dim oADsObject
            Set oADsObject = GetObject(strADsPath)

            response.write "Authenticating...<br><br>"

            Dim strADsNamespace
            Dim oADsNamespace

            strADsNamespace = left(strADsPath, instr(strADsPath, ":"))
            set oADsNamespace = GetObject(strADsNamespace)

            Set oADsObject = oADsNamespace.OpenDSObject(strADsPath, strUserName,strPassword, 0)

            if not (Err.number = 0) then
                Response.Write "<font color='red'><font size = 5><u><b>Authentication has failed...<b></u></font></font>"
                Session("Auth") = "NO"
            else
                Response.Write "<font color='blue'>USER AUTHENTICATED!</font><br>"
                Session("Auth") = "YES"
            end if
        end if
    End If
    %>
</body>
</html>

So once authenticated, is it possible to grab other stuff such as email and groups?

I've tried following Classic ASP (VBScript), 2008 R2, error using AD to authenticate and tried authenticating against my local machine but it ALWAYS authenticates no matter what I put in. Is it the fact I'm using a local machine mean it just won't work?

Community
  • 1
  • 1
pee2pee
  • 3,619
  • 7
  • 52
  • 133
  • You will need to have `Anonymous Authentication` for this to work, as you are passing the credentials in IIS doesn't need to do any authentication. Be aware that this method is susceptible to a man-in-the-middle attack, I tend to only use this method in a closed environment like a corporate intranet and even then it isn't 100% safe. – user692942 Mar 10 '14 at 13:52
  • Can you shed some more light on the "man in the middle" situation please – pee2pee Mar 11 '14 at 10:11
  • You want to provide your own UI for authenticating to Active Directory this means the client will have to provide their Windows Username and Password in a HTML form which will be posted in clear text, securing this by running your site on SSL connection is a must. – user692942 Mar 11 '14 at 10:19

1 Answers1

7

I know this is an old question, but in case someone is still interested:

This is how I authenticate users against an AD: It's an indirect approach using an authenticated LDAP query. If the query fails, the user is not allowed to authenticate against the domain controller.

It's a bit inelegant in as much as it requires an explicit naming of a domain controller. domain name (if you want to use sam account names) and an OU for the search start DN.

  dim domainController : domainController = "yourdc.company.com"
  dim ldapPort : ldapPort = 389
  dim startOu : startOu = "DC=company,DC=com"

  Function CheckLogin( szUserName, szPassword)
    CheckLogin = False

    szUserName = trim( "" &  szUserName)

    dim oCon : Set oCon = Server.CreateObject("ADODB.Connection")
    oCon.Provider = "ADsDSOObject"
    oCon.Properties("User ID") = szUserName
    oCon.Properties("Password") = szPassword
    oCon.Open "ADProvider"
    dim oCmd : Set oCmd = Server.CreateObject("ADODB.Command")
    Set oCmd.ActiveConnection = oCon

    ' let's look for the mail address of a non exitsting user
    dim szDummyQuery : szDummyQuery = "(&(objectCategory=person)(samaccountname=DeGaullesC))"
    dim szDummyProperties : szDummyProperties = "mail"
    dim cmd : cmd = "<" & "LDAP://" & domainController & ":" & ldapPort & _
                        "/" & startOu & ">;" & szDummyQuery & ";" & szDummyProperties & ";subtree"
    oCmd.CommandText = cmd
    oCmd.Properties("Page Size") = 100
    on error resume next
    dim rs : Set rs = oCmd.Execute
    if err.Number = 0 then
      CheckLogin = true
      call rs.Close()
      set rs = nothing
    end if
    on error goto 0
    set oCmd = nothing
  End Function

  ' perform test
  dim res : res = CheckLogin( "youradname\youruser", "yourpassword")
  if res then
    Response.Write( "Login ok")
  else
    Response.Write( "Login failed")
  end if
schudel
  • 1,235
  • 2
  • 11
  • 18