none
LDAP error using windows Authentication in IIS7.0

    Question

  • I'm facing probleming with LDAP. My Web server is IIS7.0(windows server 2008 R2). Its configured to use windows Authentication. I've pasted my asp page below.

    Web browser is IE8, Have added the website to intranet zone and enabled, send user details if intranet zone in security tab->custom level. Intigrated windows authentication is enabled in advanced tab.

    Web Application details

    Cluster control website and another website  which host below code.

    Application Name           Auth Type          Application pool       Application pool identity

    Cluster control:            Anonymous          Clustercontrol         Application pool identity

    Mywebsite1                 Windows              MyWebsite1            DNS account

    Now coming to problem

    If I try to access the website I get runtime error " method or property memberOf is not supported"

    Suppose I change the Authentication type to Basic authentication it asks credentials and signs in. Immedaitly after that if I change Authentication type to Windows. It works fine from the VM browser.It works even after I restart the browser.

    But it works only for 20min since Application Idle timeout is set to 20min(Can see WAS even log which says Application pool Website1 was closed due to incativity for 20min, new worker process will be created as and when its needed). It also doesn't work if I restart the app pool immediatly after I change windows AUth type.

    If I try to access the Website1 using cluster control using localhost, It prompts for credential and dosn't login. But If I try to access the below page using localhost it works perfect. 

    Can anyone suggest me what exactky going wrong over here?

    <%@ LANGUAGE="VBSCRIPT" %> 
    <% 
     
    Option Explicit 
     
    Dim oADSysInfo 
    Dim objUser 
    Dim strGroupData 
    Dim strUserDN 
     
    Dim arrGroups 
     
    Dim strGroup 
     
    Dim wsObject 
     
    Dim netSys 
     
    Dim strUsrDomain 
     
     strGroupData
    = "" 
       
    Set wsObject = CreateObject("WScript.Shell") 
     
    Set netSys =   CreateObject("WScript.Network") 
     
     strUsrDomain
    = netSys.UserDomain 
    Set oADSysInfo = CreateObject("ADSystemInfo") 
     
     
    If err.number <> 0 Then 
     
    'getLDAPGroupInfo = strGroupData 
     
    'wsObject.popup("Error"& e.decription) 
     
    'Exit Function 
     
    End If 
     strUserDN
    = oADSysInfo.UserName 
     
    Set objUser = GetObject("LDAP://"& strUserDN) 
     arrGroups
    = objUser.memberOf 
     
     
    If IsEmpty(arrGroups) Then 
     
    'Wscript.Echo "Member of no groups" 
     
    ElseIf (TypeName(arrGroups) = "String") Then 
     
    'Wscript.Echo "Member of group " & arrGroups 
      strGroupData
    = arrGroups 
     
    Else 
     
     
    For Each strGroup In arrGroups 
       strGroupData
    = strGroupData & "," & strGroup 
     
    Next 
     
    'strGroupData = arrGroups 
     
     
     
    End If  
         Response
    .Write(strGroupData) 
    %> 
    Tuesday, June 19, 2012 7:25 AM

Answers

  • Thanks for your response

    I employed rather simple solution.

    Solution I employed was as follows.

    1. My Application is running under specific user identity(Physical path credential and Application pool idenity set to DNS account)

    2. I created another page with above code and ran under applcation pool identity and there by created a primary token key.

    3. Using that key I again connected to LDAP to query user related info by calling above code under virtual directory having  windows authentication and there by getting user details.

    Thanks for your help again

    Friday, June 29, 2012 4:01 PM
  • Hi Karthik,

    Thanks for posting in Microsoft TechNet forums.

    Here are some links which might be helpful while troubleshooting Double Hop issue:

    The Double-Hop Problem

    http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx


    Double Hop and ASP.NET - a workaround.

    http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx

    IIS, Windows Authentication and the Double Hop issue

    http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx

    Regards

    Kevin

    TechNet Community Support

    Thursday, June 21, 2012 7:59 AM

All replies

  • Now I can confirm that its a "Double-hop issue". What ever problem above I explained was seen in Double-Hope issue. Can any one explain me how to fix it. Though it could have been fixed if I had used ASPX. How can I fix in classical ASP
    Tuesday, June 19, 2012 8:02 AM
  • Hi Karthik,

    Thanks for posting in Microsoft TechNet forums.

    Here are some links which might be helpful while troubleshooting Double Hop issue:

    The Double-Hop Problem

    http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx


    Double Hop and ASP.NET - a workaround.

    http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx

    IIS, Windows Authentication and the Double Hop issue

    http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx

    Regards

    Kevin

    TechNet Community Support

    Thursday, June 21, 2012 7:59 AM
  • Thanks for your response

    I employed rather simple solution.

    Solution I employed was as follows.

    1. My Application is running under specific user identity(Physical path credential and Application pool idenity set to DNS account)

    2. I created another page with above code and ran under applcation pool identity and there by created a primary token key.

    3. Using that key I again connected to LDAP to query user related info by calling above code under virtual directory having  windows authentication and there by getting user details.

    Thanks for your help again

    Friday, June 29, 2012 4:01 PM
  • Hi Karthik,
     
    Thanks for sharing your solution with us. 

    Please feel free to create new thread if you encounter other problem in the future.
      
    Best Regards
      
    Kevin
    Monday, July 02, 2012 1:48 AM