Directory Services

Authentication Issues for ADSI with ASP

Depending on the configuration of your intranet, authentication issues may occur when ADSI code is run from an ASP page.

If clients on the intranet all run on Windows 2000 or Windows XP, and the domain controller that ADSI is connecting to is a Windows 2000 or Windows Server 2003, and the IIS server is version 5.0 or later, then authentication to access the domain controller can be given using delegation. Delegation permits a service to act as the user, so it can access a network resource using that user credentials. If your intranet follows this configuration, you must set up IIS to use delegation. Set the IIS Authentication mechanism as Anonymous or NTLM. If you choose anonymous, your security context will be mapped to IUSR_MACHINE account. If you select NTLM, the security context will change, depending on which user logs on to your Web site. For more information and instructions for setting up the IIS server for delegation, see Windows 2000 Resource Kit.

If you are using a Windows NT server or an IIS server that uses the Windows NT challenge/response, or a browser client that does not support Kerberos, then double-hop authentication is not supported. Double-hop authentication means that the user credentials are passed from the browser client to the IIS server, and then the IIS server passes the credentials to the backend server. In this situation, you can use one of the following solutions to allow access to the directory from the ASP page:

These methods involve authenticating the Web client and then changing the credentials when contacting the directory because double-hop authentication, with the same credentials, is not possible.