We have security set up for an intranet site as follows through active directory.
First we have security groups by department (sales, accounting, etc.)
Second we have an AD security group for the intranet site where people logon via NT challenge/response. For this purpose let’s call that group “Intranet Users”
Under Intranet Users, I’ve added the departments that are allowed to use the intranet.
So in AD you have Intranet Users and the members of the group are Sales and Accounting.
What I need to do in classic ASP is authenticate a user against the groups under Intranet Users.
I dug up some old code I used elsewhere but I can’t get it to work and unless my Google-fu of this topic is just terrible (a distinct possibility) I can’t find proper documentation of doing this in classic ASP.
This code will get the group but will only enumerate the objects within it if it’s a user, not a group.
bAuthUser = False
Set objGroup = GetObject("WinNT://DOMAIN/Intranet Users")
For Each objMember In objGroup.Members
If objMember.Class = "User" Then
If objMember.Name = Request.ServerVariables("AUTH_USER") Then bAuthUser = True
End If
Next
The above code works if there is an actual user in the security group but there are no users in the group, just other security groups.
What I need to do is loop through the groups in “Intranet Users” then through the users in each group to authenticate.
Am I on the right track here or totally off?
Thanks in advance.
This depends on the functionality you are looking for.
If the goal is “everyone can access this site, but if they are in Intranet Users, they get this extra functionality” then the path you are on is correct.
If you just want to be able to say “Only Intranet Users can access my site” there’s an undocumented feature of IIS you can leverage. If you go into the folder security options, and remove the generic accounts from the ACL and add the Intranet Users group to the ACL, IIS will throw a 403 exception if the user authenticated is not in Intranet Users.