Thursday, September 29, 2011

Classic ASP and Windows integrated authentication

I’ve just spent a few days looking into making a small change to a live web site that uses an old classic ASP page to provide basic file access to network drives so files can be accessed from home via a web browser. It’s a pre-existing web site running in IIS6 on a Windows Server 2003 box and uses basic authentication which means the user will be prompted to enter their Active Directory username and password before they will be granted access.

The first change was to use Windows integrated authentication so the user isn’t challenged with a prompt when they access the site internally (because the browser will pass along their network logon credentials and the server will use those).

The second was to sort the list of folders and files alphabetically.

The first change turns out to be real pain to achieve because with Windows integrated authentication the code appears to run in the context of the remote user until you need to do something with another network resource (such as a file server). At that point you run into a double hop problem – the impersonated credentials work on the web server, but won’t work anywhere else. There are some options here, such as trying to enable constrained delegation to allow the impersonated credentials deeper access (but the file server isn’t actually a Windows machine and constrained delegation might not work with classic ASP anyway). Or maybe I could write a COM interop object that calls RevertToSelf to terminate the impersonation and do the network file store access as the IIS process identity? All sounds like a bunch of hassle to support a minor use case – the internal users will use the file store directly anyway and the external ones are still going to have to provide their logon details as they won’t be logged in to the domain while at home.

The second also turns out to be a pain because classic ASP with VBScript doesn’t have any way to sort things (other than implement your own sorting or push it into a database – yikes!). I found a nice solution on the web that uses CreateObject to create a .Net SortedList (presumably through COM interop). However, accessing the folder and file objects provided by the FileSystemObject via the SortedList causes the basic authentication impersonation to get dropped giving access denied errors because the IIS process account doesn’t have any permissions against the network file store. Hence a horrible workaround involving storing the file and folder objects in arrays and the indexes in the SortedList.

This post is to remind me to STAY THE FUCK AWAY FROM CLASSIC ASP.