Microsoft KB Archive/253568

{|
 * width="100%"|

HOWTO: Use ADSI to Access Exchange User Data from an ASP Page

 * }

Q253568

-

The information in this article applies to:


 * Microsoft Active Directory Service Interfaces, version 2.5
 * Microsoft Active Server Pages

-

SUMMARY
This article contains a Visual Basic code sample that demonstrates how to use ADSI to access Microsoft Exchange Server user data from an Active Server Pages (ASP) page. The sample code and configuration information presented in this article allow you to access a domain user's Exchange data from an intranet or Internet Web site.

MORE INFORMATION
The code sample consists of two ASP pages:


 * AuthRedirect.asp looks up the security identifier (SID) of a domain user, and passes the SID to the ADSITest.asp page. (The SID is a unique identifier that the domain controller assigns to each user.)
 * ADSITest.asp retrieves the user information from the Exchange server, and outputs that information.

AuthRedirect.asp
The AuthRedirect.asp page retrieves the user's logon information by using Windows NT Challenge/Response.

NOTE: Under Windows 2000 and Internet Information Server (IIS) version 5.0, the logon information is retrieved by using Integrated Authentication.


 * 1) Create a new file named AuthRedirect.asp and paste in the following code:
 * 2) Save the AuthRedirect.asp file in a Web site folder.
 * 3) In IIS 4.0, from the IIS Management Console, right-click the AuthRedirect.asp page, click Properties, and then click the Directory Security tab. In the Anonymous Access and Authentication Control section, click the Edit button. Make sure that the only item checked is Windows NT Challenge/Response.

This method of authentication retrieves the logon name of the domain user who accesses the page, and stores the name in the AUTH_USER server variable. IIS is unable, however, to access a remote Exchange data store with this method. In order to obtain any information from Exchange, the security context of the user must be passed, and IIS does not have the user password. When IIS uses Challenge/Response, the password is never actually sent to the server. Rather, a hash of the password is sent to the domain controller to verify that the user is valid. While this makes Challenge/Response secure, it prevents IIS from having the password to pass on in a request to another server. The ADSITest.asp page provides a way to work around this problem.

ADSITest.asp
The ADSITest.asp page must use anonymous authentication. For this page only, you will configure the anonymous user in IIS to be a valid domain account with the appropriate permissions on the Exchange server.


 * 1) Create a new file named ADSITest.asp and paste in the following code:
 * 2) Save the ADSITest.asp file in the same folder as the AuthRedirect.asp file.
 * 3) In IIS 4.0, from the IIS Management Console, right-click the ADSITest.asp page, click Properties, and then click the Directory Security tab. In the Anonymous Access and Authentication Control section, click the Edit button.
 * 4) Make sure that only Allow Anonymous Access is checked, and then click the Edit button beside this setting.
 * 5) Select the domain user to use as the anonymous user for the page, and make sure that Automatic Password Synchronization is disabled. Manually enter the password for the user, and then re-enter it after clicking OK to close the dialog box. This ensures that IIS has the password to pass on to the remote Exchange server.