|
|
Home : Search : Code Sample Library : Downloads : About : Feedback :
Because the CDO library 1.x (CDO.DLL) and the CDO Rendering library 1.x (CDOHTML.DLL) are COM components they can be used within a Microsoft Active Server Pages application (e. g. Microsoft Outlook Web Access). This allows them to inherit the benefits of Microsoft Active Server Pages, which include automatic compilation of scripts, server-based execution, and the ability to script using any scripting language, including Microsoft Visual Basic Scripting Edition and Microsoft JScript.
Before starting the development of a Microsoft Active Server Pages based application which should gain access to Microsoft Exchange Server data, security is the first point that should be considered. There are three major security parts playing a role on the Microsoft Active Server Pages application:
All these parts must be set up properly to make sure that your application will run without major problems. Depending on the configuration of your Microsoft Windows NT Server 3.x/4.x, Microsoft Internet Information Server 4.x and Microsoft Exchange Server 5.x different scenarios can be applied.
The most common problem is to ignore that Microsoft Windows NT Security plays a major role in the whole application. Doing so will fire up those dreaded ASP0115 errors which does not tell you the real reason for the problem instead of it only provides the information that the call to the external object failed, which is not very helpful at all.
Microsoft Windows NT 3.x/4.x uses an authentication method called NTLM. NTLM stands for Microsoft Windows NT LAN Manager because it was developed and originally used in Microsoft LAN Manager. NTLM assumes that the user has logged on to a Microsoft Windows NT network from a client and has been authenticated by a Microsoft Windows NT Primary or Backup Domain Controller.
Since each Microsoft Exchange Server 4.x/5.x mailbox is tied to a Microsoft Windows NT 3.x/4.x account it is either necessary to run your Microsoft Active Server Pages application in the same security context as the Microsoft Windows NT 3.x/4.x account of the particular mailbox or an Microsoft Windows NT 3.x/4.x account which holds higher privileges on the Microsoft Exchange Server 4.x/5.x, like the Microsoft Exchange Server 4.x/5.x Site Service account. However, it is not recommended to use the Microsoft Exchange Server 4.x/5.x Site Service account for this purpose because it can access all information of a Microsoft Exchange Server 4.x/5.x. That can be a security risk the customer using the application would not like to agree to.
When Microsoft Internet Information Server 3.x/4.x is set up on the Microsoft Windows NT Server 3.x/4.x, a new Microsoft Windows NT 3.x/4.x account named IUSR_<YourComputerName> is created. This account is assigned a random password. Because of security considerations it is recommended to change the password, write it down and store it in a safe place, likewise all system passwords and administration passwords should be stored in a safe place. Also the Allow Anonymous Access option is turned on by default. If the default settings are not altered anonymous users will have access to the particular Web site without any restrictions.
Microsoft Internet Information Server 3.x/4.x provides three different authentication methods:
To provide access to a particular Web page without creating an Microsoft Windows NT 3.x/4.x account for each user, Microsoft Internet Information Server 3.x/4.x uses an Microsoft Windows NT 3.x/4.x account named IUSR_<YourComputerName>. This Microsoft Windows NT 3.x/4.x account is used each time a Web page is requested by a browser and no logon dialog is displayed.
If it is not required to send e-mail via Microsoft Exchange Server 4.x/5.x or open a particular mailbox it is possible to use Anonymous Access to gain access to Microsoft Exchange Server 4.x/5.x public folders and the Global Address List. Note that the Anonymous Access to Microsoft Exchange Server 4.x/5.x can be controlled separately by the Microsoft Exchange Server System Administrator.
In Basic authentication, Microsoft Internet Information Server 3.x/4.x challenges the browser to provide a valid Microsoft Windows NT 3.x/4.x account and password in the form DOMAIN\UserID. In this case, the password goes over the wire in Base 64. You would want to use Basic authentication when you need the Microsoft Internet Information Server 3.x/4.x computer to know the user's password. This is necessary in any case where you want Microsoft Internet Information Server 3.x/4.x to access resources on another Microsoft Windows NT 3.x/4.x server computer.
In Microsoft Internet Information Server 3.x/4.x, NT Challenge Response refers to NTLM authentication. In NTLM authentication, the Microsoft Internet Information Server 3.x/4.x machine challenges the client to hash a random value. Microsoft Internet Information Server 3.x/4.x sends the same random value to the Microsoft Windows NT 3.x/4.x Primary Domain Controller. It then compares the results of the Client and the Microsoft Windows NT 3.x/4.x Primary Domain Controller hash. If the hashes match, the client is authenticated.
Note that due to a limitation of Microsoft Windows NT 3.x/4.x it is not possible to use NTLM if the Microsoft Exchange Server 4.x/5.x and the Microsoft Internet Information Server 3.x/4.x are on different machines. In this case it is necessary to disable NT Challenge/Response and use Basic Authentication.
Microsoft Exchange Server 4.x/5.x is designed to maintain security so that Microsoft Windows NT 3.x/4.x users cannot access Microsoft Exchange Server 4.x/5.x mailboxes to which they do not have access rights. That means that each Microsoft Exchange Server 4.x/5.x mailbox must have at least one Microsoft Windows NT 3.x/4.x account associated, the so called Primary Windows NT account. This NT account can be either a NT user or a NT group. It is also possible to add more NT accounts to the mailbox using the Permissions tab. Note that this tab is only visible on the mailbox of you enable it in the Exchange adman program on the Tools, Options, Permissions menu.
It is also possible to define different access levels to each mailbox. Microsoft Exchange Server 4.x/5.x provides either role based access levels or single rights. Using the single rights you can build your own custom role which holds the permissions of your choice.
Before starting to build a Microsoft Active Server Pages application it is important to understand how it works and what to keep an eye on when developing it. By definition an ASP application is a set of *.ASP files, which can but must not necessarily, include a file called Global.asa. The ASP application is started at the moment the first client access with the browser occurs.
One problem is that if a user starts an instance of the CDO 1.x Library on the server, then exits the application by closing the browser, the session object could remain in memory, causing problems for subsequent users. This could even crash the server and only a reboot will fix this. Because of this, creating a Web application with a global.asa file is recommended.
The Global.asa can contain scripts that affect the Application object and Session object. For example, Global.asa scripts make application- and session-scope variables available at startup. The Global.asa file should be present at the application root level for every ASP application.
Procedures declared in the Global.asa file can only be called from one or more of the scripts associated with the Application_OnStart, Application_OnEnd, Session_OnStart, and Session_OnEnd events. They are not available to the *.ASP pages in the application.
The following table describes the events provided in the Global.asa file and their purpose:
| Event | Description |
|---|---|
| Application_OnStart | This function runs when a user accesses a Web application that is not currently running. It is distinguished from Session_OnStart because it runs only the first time that an application is accessed. Use the Global.asa to create application-level variables and objects |
| Application_OnEnd | This function runs when the last person exits an application. Use this function to clean up any application-level objects that you created in Application_OnStart |
| Session_OnStart | This function runs when a new client accesses a Web. This function will run every time that a client accesses a Web. This is as opposed to the Application_OnStart, which runs when a client accesses an application that is not running. Use this function to create session-level variables and objects |
| Session_OnEnd | This function runs when a client leaves a Web. It is very useful for catching when a user closes their browser. Use this function to destroy any session-level objects you created in Session_OnStart |
If the Microsoft Active Server Pages application needs the ability to send and receive e-mail with a Microsoft Exchange Server 4.x/5.x mailbox a valid logon the Microsoft Windows NT 3.x/4.x is required. To achieve this the browser must be forced to display a Microsoft Windows NT 3.x/4.x logon dialog. This can be done with the following code snippet:
| Const vbTextCompare = 1 blnAuthenticated = False bstrAuthentication = Request.ServerVariables("AUTH_TYPE") If Str(1, "_BasicNTLM", bstrAuthentication, vbTextCompare) < 2 Then Response.Buffer = True Response.Status = ("401 Unauthorized") Response.AddHeader "WWW.Authenticate", "Basic" Response.End Else blnAuthenticated = True End If |
Since the CDO 1.x library and the CDO HTML Rendering library 1.x are COM components they are used as any other COM component within a Microsoft Active Server Pages application. Note that because CDO 1.x relies on MAPI the ProgID MAPI.Session is used. Because the instance must be created on the Microsoft Internet Information Server 3.x/4.x it is also necessary to use Server.CreateObject instead of CreateObject.
The following code snippet creates a new session with the CDO 1.x library:
| Set objSession = Server.CreateObject("MAPI.Session") |
After the new CDO session is created it is necessary to logon. This is either possible using anonymous or authenticated logon. Both can be configured by the System Administrator using the Microsoft Exchange Server 4.x/5.x admin program and permissions can be assigned to each Public Folder separately.
The following table shows the different features between anonymous and authenticated access:
| Access Method | Description |
|---|---|
| Anonymous | Can access the Microsoft Exchange Server 4.x/5.x Global Address
List and Public Folders if appropriate permissions are assigned. No
valid Microsoft Exchange Server 4.x/5.x.mailbox required. Note that while posting to a Public Folder is possible, sending and receiving e-mail with anonymous access is not possible. |
| Authenticated | Can send and receive e-mail, access Public Folders and any
address list of Microsoft Exchange Server 4.x/5.x if appropriate
permissions are assigned. Note that a valid Microsoft Exchange Server 4.x/5.x.mailbox with the appropriate permissions is required. |
The following code creates a dynamically profile and performs an anonymous logon:
| strProfileInfo = "/o=" +
strEnterprise + "/ou=" + strSite +_ "/cn=Configuration/cn=Servers/cn=" + strServer + vbLF + "anon" + vbLF + "anon" objSession.Logon "", "", False, True, 0, True, strProfileInfo |
To logon anonymously to the Microsoft Exchange Server 4.x/5.x organization, site and server name are required to build the dynamic profile. For more information on how to obtain this information programmatically, please take a look at 'All you ever wanted to know about ASP & CDO but were afraid to ask', Tips and Tricks.
The following code creates a dynamically profile and performs an authenticated logon:
| strProfileInfo = strServer +
vbLF + strMailbox objSession.Logon "", "", False, True, 0, True, strProfileInfo |
To logon authenticated to the Microsoft Exchange Server 4.x/5.x server name and a valid mailbox alias are required to build the dynamically profile. For more information on how to obtain this information programmatically, please take a look at 'All you ever wanted to know about ASP & CDO but were afraid to ask', Tips and Tricks.
The Premier Resource for
Microsoft Collaboration Data Objects