检查用户是否是给定 AD 组的成员(ASP 经典)
我有一个基于 ASP Classic 的遗留应用程序,它仍然很强大。为了确保应用程序的安全,我检查登录的用户是否是某个 AD 组的成员,并且返回一些有用的信息(例如全名、电子邮件地址等)。
这应该是相当常规的,几年前,我从原来的方法(现在被遗忘了)改变为当前的方法。实施起来有点麻烦,因为它跨越了许多我知之甚少的技术领域,但我让系统工作正常。
稍后提示几次服务器移动(每一次都是重新实施系统的战斗),并且我不会面临另一或三个移动。到目前为止,我正在努力让事情正常运转。我认为我的代码仍然健全,但问题在于服务器配置。权限、SETSPN、Kerberos 委派等...
所以问题是,我该怎么做才能使这项工作正常进行,或者是否可以采取另一种方法。我的目标服务器是标准 Server 2008 和 Server 2008 R2 机器,位于同一 AD 域内。
我的 ASP 如下:
If Session("UID") = "" then
Dim oWshNetwork, oADSysInfo, oCurrentUser, sUserName, sComputerName
Dim sGroups
Set oWshNetwork = CreateObject("WScript.Network")
Set oADSysInfo = CreateObject("ADSystemInfo")
Set oCurrentUser = GetObject("LDAP://" & oADSysInfo.UserName)
Session("UID") = LCase(oWshNetwork.UserName)
Session("Name") = oCurrentUser.FullName
Session("Computer") = LCase(oWshNetwork.ComputerName)
Select Case VarType(oCurrentUser.MemberOf)
Case 8
sGroups = LCase(oCurrentUser.MemberOf)
Case 8204
sGroups = LCase(Join(oCurrentUser.MemberOf))
End Select
If InStr(1, sGroups, "myApp_Users",1) Then
Session("Auth") = 1
Else
Session("Auth") = 0
End If
If InStr(1, sGroups, "myApp_Admins",1) Then
Session("Admin") = 1
Else
Session("Admin") = 0
End If
Set oWshNetwork = nothing
Set oADSysInfo = nothing
Set oCurrentUser = nothing
End If
我使用域用户的身份在应用程序池中运行这些应用程序。
该域用户具有 Read &对应用程序的执行权限。
为每个服务器启用了 Kerberos 委派:
Trust the computer for delegation to any service (Kerberos only)
我已为域用户配置了 SPN,如下所示:
http/myServer
http/myServer.mydomain.net
然而,当我运行应用程序时,我的代码在第一次 GetObject 调用时失败:
error '800704bc'
任何人都可以帮助一劳永逸地调试此问题,或者如果有替代方案,请提供替代方案。当然,我很想在 .NET 中重新开发,但这不是一个选择。
I have an legacy application that is still going strong, based on ASP Classic. To secure the application, I'm checking the logged-in user is a member of a certain AD group, and I'm returning a little useful information (e.g. full name, email address etc).
This should be fairly routine and some years ago, I changed from my original approach (now forgotten) to my current one. It was a bit fiddly to implement because it crossed a number of technical areas that I knew relatively little about, but I got the system working OK.
Cue several server moves later (each one being a battle to re-implement the system), and I'm not faced with another move or three. So far I am struggling to get things working. My code, I assume is still sound, but it is the server configuration that is the problem. Permissions, SETSPNs, Kerberos delegation etc...
So the question is, what do I do to make this work, or alternatively, is there another approach I can take. My target servers are standard Server 2008 and Server 2008 R2 boxes, within the same AD domain.
My ASP is as follows:
If Session("UID") = "" then
Dim oWshNetwork, oADSysInfo, oCurrentUser, sUserName, sComputerName
Dim sGroups
Set oWshNetwork = CreateObject("WScript.Network")
Set oADSysInfo = CreateObject("ADSystemInfo")
Set oCurrentUser = GetObject("LDAP://" & oADSysInfo.UserName)
Session("UID") = LCase(oWshNetwork.UserName)
Session("Name") = oCurrentUser.FullName
Session("Computer") = LCase(oWshNetwork.ComputerName)
Select Case VarType(oCurrentUser.MemberOf)
Case 8
sGroups = LCase(oCurrentUser.MemberOf)
Case 8204
sGroups = LCase(Join(oCurrentUser.MemberOf))
End Select
If InStr(1, sGroups, "myApp_Users",1) Then
Session("Auth") = 1
Else
Session("Auth") = 0
End If
If InStr(1, sGroups, "myApp_Admins",1) Then
Session("Admin") = 1
Else
Session("Admin") = 0
End If
Set oWshNetwork = nothing
Set oADSysInfo = nothing
Set oCurrentUser = nothing
End If
I'm running these application in an Application pool with the Identity of a domain user.
This domain user has Read & Execute permissions to the application.
Kerberos delegation is enabled for each server:
Trust the computer for delegation to any service (Kerberos only)
I've configured SPNs for the domain user as follows:
http/myServer
http/myServer.mydomain.net
Yet when I run the app, my code falls over at the first GetObject call:
error '800704bc'
Can anybody help either debug this issue once and for all, or provide an alternative if there is one. Sure, I'd love to redevelop in .NET but that isn't an option.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好吧,这就是您的错误的含义:
考虑到这一点,传递给第一个
GetObject()调用的是什么?此外,不受约束的委派,又名“信任计算以委派给任何服务”,是一种非常糟糕的安全实践。
Well, here's the meaning of your error:
With that in mind, what's getting passed to the first
GetObject()call?Also, unconstrained delegation, AKA "trust compute for delegation to any service" is a really bad security practice.
我导致此错误的情况是由于在服务帐户的上下文中调用了 ADSystemInfo.UserName 方法。这是 NetworkService (
NT_AUTHORITY\NETWORK SERVICE) 帐户的帐户,因此是本地帐户,因此不在域中。我猜这就是我收到ERROR_INVALID_DOMAINNAME的原因。就我而言,第三方模块未提供所需的用户上下文,但更常见的是,我认为 IIS 身份验证配置错误。
My situation resulting in this error was due to the
ADSystemInfo.UserNamemethod being invoked in the context of the service account. This was that of the NetworkService (NT_AUTHORITY\NETWORK SERVICE) account and therefore local, and therefore not in the domain. I'm guessing that's why in my case I got theERROR_INVALID_DOMAINNAME.In my case, a third party module was not providing the required user context, but more commonly I would expect that IIS authentication was misconfigured.