HOW TO: Use ADSI to Access Exchange User Data from an ASP Page (253568)


The information in this article applies to:

  • Microsoft Active Directory Service Interfaces 2.5
  • Microsoft Active Server Pages
This article was previously published under Q253568

IN THIS TASK

SUMMARY

This step-by-step article contains a Visual Basic code sample that demonstrates how to use ADSI to access Microsoft Exchange Server user data from an Active Server Pages (ASP) page. The sample code and configuration information presented in this article allow you to access a domain user's Exchange data from an intranet or Internet Web site.

back to the top

Use ADSI to Access User Data from an ASP Page

The code sample consists of two ASP pages:
  • AuthRedirect.asp looks up the security identifier (SID) of a domain user, and passes the SID to the ADSITest.asp page. (The SID is a unique identifier that the domain controller assigns to each user.)
  • ADSITest.asp retrieves the user information from the Exchange server, and outputs that information.
back to the top

AuthRedirect.asp

The AuthRedirect.asp page retrieves the user's logon information by using Windows NT Challenge/Response.

NOTE: Under Windows 2000 and Internet Information Server (IIS) version 5.0, the logon information is retrieved by using Integrated Authentication.
  1. Create a new file named AuthRedirect.asp and paste in the following code:
    <%@ Language=VBScript %>
<%
	Dim x
	Dim oSid
	Dim strSid
	Dim strUser
    Const ADS_SID_HEXSTRING = 1
    Const ADS_SID_WINNT_PATH = 5

	strUser = Request.ServerVariables("AUTH_USER")
	
	' Switch the "\" to a "/" in the user name for later parsing.
	for x = 1 to len(strUser)
		if mid(strUser,x,1)="\" then 
			strUser = left(strUser,x-1)+"/"+right(strUser,len(strUser)-x)
		end if
	next

    Set oSid = Server.CreateObject("ADSSID") ' From Platform SDK, adssecurity.dll,
    oSid.SetAs ADS_SID_WINNT_PATH, "WinNT://" + strUser 'get the user account SID.
    strSid = oSid.GetAs(ADS_SID_HEXSTRING)  'Convert to binary string.
	set oSid = Nothing
	
	Response.Redirect "ADSITest.asp?SID="+strSid
%>
  2. Save the AuthRedirect.asp file in a Web site folder.
  3. In IIS 4.0, from the IIS Management Console, right-click the AuthRedirect.asp page, click Properties, and then click the Directory Security tab. In the Anonymous Access and Authentication Control section, click the Edit button. Make sure that the only item checked is Windows NT Challenge/Response.
This method of authentication retrieves the logon name of the domain user who accesses the page, and stores the name in the AUTH_USER server variable. IIS is unable, however, to access a remote Exchange data store with this method. In order to obtain any information from Exchange, the security context of the user must be passed, and IIS does not have the user password. When IIS uses Challenge/Response, the password is never actually sent to the server. Rather, a hash of the password is sent to the domain controller to verify that the user is valid. While this makes Challenge/Response secure, it prevents IIS from having the password to pass on in a request to another server. The ADSITest.asp page provides a way to work around this problem.

back to the top

ADSITest.asp

The ADSITest.asp page must use anonymous authentication. For this page only, you will configure the anonymous user in IIS to be a valid domain account with the appropriate permissions on the Exchange server.
  1. Create a new file named ADSITest.asp and paste in the following code:
    <%@ Language=VBScript %>
<%
	dim strSid, strQuery, strServerName
	dim oConn, oRS
	strSid = Request.QueryString("SID")
	strServerName = "MyServer"
	
	strQuery = "<LDAP://" + strServerName + ">;(&(objectClass=person)(Assoc-NT-Account=" & strSid & "));adspath,cn,mail;subtree"

	Set oConn = CreateObject("ADODB.Connection") 'Create an ADO Connection
	oConn.Provider = "ADsDSOOBJECT"              ' ADSI OLE DB provider
	oConn.Open "ADs Provider"
	Set oRS = oConn.Execute(strQuery)

	If oRS.BOF And oRS.EOF Then
		Response.Write "Unable to retrieve information."
	Else
		While Not oRS.EOF
			Response.Write "Mailbox :  " & oRS.Fields("cn") & vbLf & "Email : " & oRS.Fields("mail")+"<BR>"
			oRS.MoveNext
		Wend
	End If

	'Clean up.
	oRS.Close
	oConn.Close
	Set oRS = Nothing
	Set oConn = Nothing

%>
  2. Save the ADSITest.asp file in the same folder as the AuthRedirect.asp file.
  3. In IIS 4.0, from the IIS Management Console, right-click the ADSITest.asp page, click Properties, and then click the Directory Security tab. In the Anonymous Access and Authentication Control section, click the Edit button.
  4. Make sure that only Allow Anonymous Access is checked, and then click the Edit button beside this setting.
  5. Select the domain user to use as the anonymous user for the page, and make sure that Automatic Password Synchronization is disabled. Manually enter the password for the user, and then re-enter it after clicking OK to close the dialog box. This ensures that IIS has the password to pass on to the remote Exchange server.
back to the top

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

251390 HOWTO: Find Exchange Recipients Associated With an NT Account

back to the top
Modification Type:MinorLast Reviewed:3/25/2005
Keywords:kbHOWTOmaster kbMsg KB253568 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.