The powers that be decided that we need to be more secure and most of our users should not be working remotely without permission, and that includes just checking email. So I had to devise a way to make this happen. I found a script somewhere online that seemed to provide such a restriction. The file to be changed is
<%
string strIP = Request.ServerVariables["REMOTE_ADDR"];
if(strIP.Substring(0, 8) != "192.168.")
{
System.Security.Principal.WindowsIdentity oUser = Request.LogonUserIdentity;
System.Security.Principal.WindowsPrincipal oPrincipal = new System.Security.Principal.WindowsPrincipal(oUser);
if(!oPrincipal.IsInRole("Domain Users"))
{
Response.Write("Sorry, you are not allowed to access OWA from this location:" + strIP);
}
}
%>
However, this did not work when I tried to restrict the user to group “pridedallas.com\\Outlook Web Access – Remote” – no user had access.
After much effort, I discovered that LogonUserIdentity is the Exchange service name, not the actual user name. So I modified it to this, which works great!
<%
string strIP = Request.ServerVariables["REMOTE_ADDR"];
if(strIP.Substring(0, 8) != "192.168.")
{
string strUser = Request.ServerVariables["REMOTE_USER"].ToUpper();
int p = strUser.IndexOf("\\");
if(p != -1)
strUser = strUser.Substring(p + 1);
Response.Write(strUser);
System.Security.Principal.WindowsIdentity oUser = new System.Security.Principal.WindowsIdentity(strUser + "@pridedallas.com");
System.Security.Principal.WindowsPrincipal oPrincipal = new System.Security.Principal.WindowsPrincipal(oUser);
if(oPrincipal.IsInRole("pridedallas.com\\Outlook Web Access - Remote"))
{
Response.Write("Sorry, you are not allowed to access PRIDE email remotely (" + strIP + ").");
}
}
%>