ASP (classic) LDAP query failing domain controller upgraded to 200

Discussion:

(too old to reply)

asapjim

2006-01-08 17:56:02 UTC

Hi, I’ve seen this problem posted many times but have yet to find a solution
or suggestion that has been of sufficient help to resolve my situation. We
have a routine on our ASP (classic) intranet site that we were using to check
if a user was a member of group. The implementation was working until we
upgraded the domain controller to windows server 2003. Now the
implementation fails.

Our ASP (classic) intranet site is running on Windows 2000 server, IIS5.
The IIS directory security settings -> Authentication Methods has Integrated
Windows Authentication selected (all other options are deselected). We tried
upgrading the web server to Windows 2003 IIS6 but it still fails.

When I execute the code sample I get the following error:
Error opening recordset -2147217865 Table does not exist.

However, the code does execute properly on my local windows 2000
professional machine running IIS5 . Can you suggest any changes to the code?
Any changes to our IIS configuration or domain controller?

Here’s a sample of the code that is failing:

<%
Dim rootDSE
Dim sObjectDN
Dim suser
Dim ors
Dim sProperties
Dim i
Dim arr

on error resume next 'for testing only to trap the error

'Get the logged on user name
sUser = LCase(Request.ServerVariables("LOGON_USER"))

if Instr(sUser, "\") > 0 then
sUser = Trim(Mid(sUser, Instr(sUser, "\") + 1))
end if

sProperties = "memberof" 'comma delimited list of fields to return
'get the root data for the connection
Set rootDSE = GetObject("LDAP://RootDSE")
if err.number <> 0 then
response.write "Error getting RootDSE " & err.number & " " &
err.description & " "
response.end
end if

sObjectDN = "LDAP://" & rootDSE.Get("defaultNamingContext")

if err.number <> 0 then
response.write "Error getting default naming context " & err.number &
" " & err.description & " "
response.end
end if

'set up the connection
Set oCon = Server.CreateObject("ADODB.Connection")
oCon.Provider = "ADsDSOObject"
oCon.Open "ADProvider"

if err.number <> 0 then
response.write "Error opening connection " & err.number & " " &
err.description & " "
response.end
end if

'set up the command object
Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oCon
oCmd.CommandText = "<" & sObjectDN &
">;(&(objectCategory=user)(sAMAccountName=" & sUser & "));" & sProperties &
";subtree"

set ors = oCmd.execute
if err.number <> 0 then
'****This is where it fails
response.write "Error opening recordset " & err.number & " " &
err.description & " "
response.end
end if

if isarray(ors.fields(0).value) then
if err.number <> 0 then
response.write "Error testing for members array " & err.number &
" " & err.description & " "
response.end
end if

arr = ors.fields(0).value
for i = 0 to ubound(arr)
response.write arr(i)
next
end if
%>

Eric Vegter

2006-01-08 22:16:02 UTC

Permalink

Hi,

we've seen the same thing happening. We ended up joining the servers to the
same domain and I created a read-only query account in the AD. I set the
security on the ASP page in IIS so that the anonymous account for that
website is the query user. The bottomline is I think that the DCOM security
in Windows 2003 (especially Sp1) is way more secure than Windows 2000. The
ASP website would be running under an account that is a local server account,
not a domain account and will therefor not have enough accesspermissions to
query the AD.

To set the security: Right-click the ASP that has to access the AD, choose
Properties, click the File Security Tab, Press the Edit button in
Authentication and access control, enter the usercredentials of an account
with the least ammount of permissions necessary to do it's job, press OK
twice, run iisreset /restart to make the security effective (don't know if
the iisreset is realy necessary)

I hope this helps,

Rgds
Eric
--
Eric Vegter
Capgemini Outsourcing.

Post by asapjim
Hi, I’ve seen this problem posted many times but have yet to find a solution
or suggestion that has been of sufficient help to resolve my situation. We
have a routine on our ASP (classic) intranet site that we were using to check
if a user was a member of group. The implementation was working until we
upgraded the domain controller to windows server 2003. Now the
implementation fails.
Our ASP (classic) intranet site is running on Windows 2000 server, IIS5.
The IIS directory security settings -> Authentication Methods has Integrated
Windows Authentication selected (all other options are deselected). We tried
upgrading the web server to Windows 2003 IIS6 but it still fails.
Error opening recordset -2147217865 Table does not exist.
However, the code does execute properly on my local windows 2000
professional machine running IIS5 . Can you suggest any changes to the code?
Any changes to our IIS configuration or domain controller?
<%
Dim rootDSE
Dim sObjectDN
Dim suser
Dim ors
Dim sProperties
Dim i
Dim arr
on error resume next 'for testing only to trap the error
'Get the logged on user name
sUser = LCase(Request.ServerVariables("LOGON_USER"))
if Instr(sUser, "\") > 0 then
sUser = Trim(Mid(sUser, Instr(sUser, "\") + 1))
end if
sProperties = "memberof" 'comma delimited list of fields to return
'get the root data for the connection
Set rootDSE = GetObject("LDAP://RootDSE")
if err.number <> 0 then
response.write "Error getting RootDSE " & err.number & " " &
err.description & " "
response.end
end if
sObjectDN = "LDAP://" & rootDSE.Get("defaultNamingContext")
if err.number <> 0 then
response.write "Error getting default naming context " & err.number &
" " & err.description & " "
response.end
end if
'set up the connection
Set oCon = Server.CreateObject("ADODB.Connection")
oCon.Provider = "ADsDSOObject"
oCon.Open "ADProvider"
if err.number <> 0 then
response.write "Error opening connection " & err.number & " " &
err.description & " "
response.end
end if
'set up the command object
Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oCon
oCmd.CommandText = "<" & sObjectDN &
">;(&(objectCategory=user)(sAMAccountName=" & sUser & "));" & sProperties &
";subtree"
set ors = oCmd.execute
if err.number <> 0 then
'****This is where it fails
response.write "Error opening recordset " & err.number & " " &
err.description & " "
response.end
end if
if isarray(ors.fields(0).value) then
if err.number <> 0 then
response.write "Error testing for members array " & err.number &
" " & err.description & " "
response.end
end if
arr = ors.fields(0).value
for i = 0 to ubound(arr)
response.write arr(i)
next
end if
%>

asapjim

2006-01-09 16:37:02 UTC

Permalink

Hi Eric, we consider doing this but since the routine is part of an include
file we would have had to configure a number of pages to use the account.
Our network admins were less than enthusiastic about this prospect.

Post by Eric Vegter
Hi,
we've seen the same thing happening. We ended up joining the servers to the
same domain and I created a read-only query account in the AD. I set the
security on the ASP page in IIS so that the anonymous account for that
website is the query user. The bottomline is I think that the DCOM security
in Windows 2003 (especially Sp1) is way more secure than Windows 2000. The
ASP website would be running under an account that is a local server account,
not a domain account and will therefor not have enough accesspermissions to
query the AD.
To set the security: Right-click the ASP that has to access the AD, choose
Properties, click the File Security Tab, Press the Edit button in
Authentication and access control, enter the usercredentials of an account
with the least ammount of permissions necessary to do it's job, press OK
twice, run iisreset /restart to make the security effective (don't know if
the iisreset is realy necessary)
I hope this helps,
Rgds
Eric
--
Eric Vegter
Capgemini Outsourcing.

Joe Kaplan (MVP - ADSI)

2006-01-09 02:22:59 UTC

Permalink

Windows Server 2003 AD doesn't allow anonymous queries, while 2000. Your
security context in ASP is probably configured such that you are using an
account that cannot access AD or cannot be delegated properly because
Kerberos delegation is not enabled and configured correctly.

Web apps can be notoriously difficult to make work with LDAP due to the
complex security options available.

Joe K.

Hi, I've seen this problem posted many times but have yet to find a
solution
or suggestion that has been of sufficient help to resolve my situation.
We
have a routine on our ASP (classic) intranet site that we were using to check
if a user was a member of group. The implementation was working until we
upgraded the domain controller to windows server 2003. Now the
implementation fails.
Our ASP (classic) intranet site is running on Windows 2000 server, IIS5.
The IIS directory security settings -> Authentication Methods has Integrated
Windows Authentication selected (all other options are deselected). We tried
upgrading the web server to Windows 2003 IIS6 but it still fails.
Error opening recordset -2147217865 Table does not exist.
However, the code does execute properly on my local windows 2000
professional machine running IIS5 . Can you suggest any changes to the code?
Any changes to our IIS configuration or domain controller?
<%
Dim rootDSE
Dim sObjectDN
Dim suser
Dim ors
Dim sProperties
Dim i
Dim arr
on error resume next 'for testing only to trap the error
'Get the logged on user name
sUser = LCase(Request.ServerVariables("LOGON_USER"))
if Instr(sUser, "\") > 0 then
sUser = Trim(Mid(sUser, Instr(sUser, "\") + 1))
end if
sProperties = "memberof" 'comma delimited list of fields to return
'get the root data for the connection
Set rootDSE = GetObject("LDAP://RootDSE")
if err.number <> 0 then
response.write "Error getting RootDSE " & err.number & " " &
err.description & " "
response.end
end if
sObjectDN = "LDAP://" & rootDSE.Get("defaultNamingContext")
if err.number <> 0 then
response.write "Error getting default naming context " & err.number &
" " & err.description & " "
response.end
end if
'set up the connection
Set oCon = Server.CreateObject("ADODB.Connection")
oCon.Provider = "ADsDSOObject"
oCon.Open "ADProvider"
if err.number <> 0 then
response.write "Error opening connection " & err.number & " " &
err.description & " "
response.end
end if
'set up the command object
Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oCon
oCmd.CommandText = "<" & sObjectDN &
">;(&(objectCategory=user)(sAMAccountName=" & sUser & "));" & sProperties &
";subtree"
set ors = oCmd.execute
if err.number <> 0 then
'****This is where it fails
response.write "Error opening recordset " & err.number & " " &
err.description & " "
response.end
end if
if isarray(ors.fields(0).value) then
if err.number <> 0 then
response.write "Error testing for members array " & err.number &
" " & err.description & " "
response.end
end if
arr = ors.fields(0).value
for i = 0 to ubound(arr)
response.write arr(i)
next
end if
%>

asapjim

2006-01-09 16:35:03 UTC

Permalink

Thanks for getting back to me Joe. can you point me to a good guide on how
to configure ASP and/or Kerberos properly?

Post by Joe Kaplan (MVP - ADSI)
Windows Server 2003 AD doesn't allow anonymous queries, while 2000. Your
security context in ASP is probably configured such that you are using an
account that cannot access AD or cannot be delegated properly because
Kerberos delegation is not enabled and configured correctly.
Web apps can be notoriously difficult to make work with LDAP due to the
complex security options available.
Joe K.

SergeB

2006-01-17 19:06:02 UTC

Permalink

Hi,

I had the same problem, when we pass from win2000 to win2003.
To resolve it, we created a specific user to query AD and pass it to the
connection properties. Here's a example.
<%
dim strUser, strServerName, strUserAttributs,
dim strAdsiUser, strPwd
dim objConn, objRS, objCmd, strQuery, Fld

strUser = Request.ServerVariables("AUTH_USER")

set objConn = CreateObject("ADODB.Connection")
set objCmd = CreateObject("ADODB.Command")
set objRS = CreateObject("ADODB.Recordset")

objConn.Provider = "ADSDSOObject"
objConn.Properties("ADSI Flag") = 1

strAdsiUser = "User to query LDAP"
strPwd = "password for the User who query LDAP"

objConn.Properties("User ID") = strAdsiUser
objConn.Properties("Password") = strPwd
objConn.Properties("Encrypt Password") = true
objConn.Open "ADs Provider", strAdsiUser, strPwd

set objCmd.ActiveConnection = objConn

strServerName = "DC=???,DC=???,DC=???" 'FIll in the ??? with your server
specification
' SOME attributs that i look for.
strUserAttributs =
"cn,mail,adspath,telephoneNumber,employeeID,sAMAccountName,"&_
"canonicalName,createTimeStamp,department,description,displayName,distinguishedName,"&_
"givenName,homeDirectory,homeDrive,info,ipPhone,l,legacyExchangeDN,logonCount,mail,mailNickname,"&_
"memberOf,msExchHomeServerName,name,physicalDeliveryOfficeName,proxyAddresses,publicDelegatesBL,scriptPath,"&_
"showInAddressBook,sn,st,streetAddress,telephoneNumber,userPrincipalName,whenCreated,wWWHomePage"

strQuery = "<LDAP://" & strServerName &
">;(&(objectCategory=person)(sAMAccountName="&strUser&"));"&strUserAttributs&";subtree"

objCmd.CommandText = strQuery
set objRS = objCmd.Execute

If objRS.BOF AND objRS.EOF Then
Response.Write "Unable to retrieve information."
Else
response.write(" RESULT")
response.write(" Fields.Count:
"&objRS.Fields.Count)
While Not objRS.EOF
For Each Fld IN objRS.Fields
response.write(" "& Fld.name &": ")
response.write(""& PutArrInStr(Fld.value) &"")
Next
objRS.MoveNext
Wend
End If
%>

Hope it will help you.

SergeB

Post by asapjim
Thanks for getting back to me Joe. can you point me to a good guide on how
to configure ASP and/or Kerberos properly?

Joe Kaplan (MVP - ADSI)

2006-01-17 22:05:06 UTC

Permalink

This is another way to solve the problem (using a service account as we
say).

The solution really depends on which security context needs to execute the
query. If the authenticated user is supposed to execute it and integrated
authentication is used, then Kerberos delegation is also required.

If a service account may be used to accomplish the same goal, then either
passing hard-coded credentials as shown below or configuring the process or
impersonated thread identity as the service account should be done.
Generally, the latter are better than hard coding the credentials, but it
may not always be possible to change the security context the other way.

Joe K.

Post by SergeB
Hi,
I had the same problem, when we pass from win2000 to win2003.
To resolve it, we created a specific user to query AD and pass it to the
connection properties. Here's a example.
<%
dim strUser, strServerName, strUserAttributs,
dim strAdsiUser, strPwd
dim objConn, objRS, objCmd, strQuery, Fld
strUser = Request.ServerVariables("AUTH_USER")
set objConn = CreateObject("ADODB.Connection")
set objCmd = CreateObject("ADODB.Command")
set objRS = CreateObject("ADODB.Recordset")
objConn.Provider = "ADSDSOObject"
objConn.Properties("ADSI Flag") = 1
strAdsiUser = "User to query LDAP"
strPwd = "password for the User who query LDAP"
objConn.Properties("User ID") = strAdsiUser
objConn.Properties("Password") = strPwd
objConn.Properties("Encrypt Password") = true
objConn.Open "ADs Provider", strAdsiUser, strPwd
set objCmd.ActiveConnection = objConn
strServerName = "DC=???,DC=???,DC=???" 'FIll in the ??? with your server
specification
' SOME attributs that i look for.
strUserAttributs =
"cn,mail,adspath,telephoneNumber,employeeID,sAMAccountName,"&_
"canonicalName,createTimeStamp,department,description,displayName,distinguishedName,"&_
"givenName,homeDirectory,homeDrive,info,ipPhone,l,legacyExchangeDN,logonCount,mail,mailNickname,"&_
"memberOf,msExchHomeServerName,name,physicalDeliveryOfficeName,proxyAddresses,publicDelegatesBL,scriptPath,"&_
"showInAddressBook,sn,st,streetAddress,telephoneNumber,userPrincipalName,whenCreated,wWWHomePage"
strQuery = "<LDAP://" & strServerName &
">;(&(objectCategory=person)(sAMAccountName="&strUser&"));"&strUserAttributs&";subtree"
objCmd.CommandText = strQuery
set objRS = objCmd.Execute
If objRS.BOF AND objRS.EOF Then
Response.Write "Unable to retrieve information."
Else
response.write(" RESULT")
"&objRS.Fields.Count)
While Not objRS.EOF
For Each Fld IN objRS.Fields
response.write(" "& Fld.name &": ")
response.write(""& PutArrInStr(Fld.value) &"")
Next
objRS.MoveNext
Wend
End If
%>
Hope it will help you.
SergeB

Post by asapjim
Thanks for getting back to me Joe. can you point me to a good guide on how
to configure ASP and/or Kerberos properly?

Post by Joe Kaplan (MVP - ADSI)
Windows Server 2003 AD doesn't allow anonymous queries, while 2000.
Your
security context in ASP is probably configured such that you are using an
account that cannot access AD or cannot be delegated properly because
Kerberos delegation is not enabled and configured correctly.
Web apps can be notoriously difficult to make work with LDAP due to the
complex security options available.
Joe K.

Hi, I've seen this problem posted many times but have yet to find a
solution
or suggestion that has been of sufficient help to resolve my situation.
We
have a routine on our ASP (classic) intranet site that we were using
to
check
if a user was a member of group. The implementation was working until we
upgraded the domain controller to windows server 2003. Now the
implementation fails.
Our ASP (classic) intranet site is running on Windows 2000 server, IIS5.
The IIS directory security settings -> Authentication Methods has Integrated
Windows Authentication selected (all other options are deselected).
We
tried
upgrading the web server to Windows 2003 IIS6 but it still fails.
Error opening recordset -2147217865 Table does not exist.
However, the code does execute properly on my local windows 2000
professional machine running IIS5 . Can you suggest any changes to
the
code?
Any changes to our IIS configuration or domain controller?
<%
Dim rootDSE
Dim sObjectDN
Dim suser
Dim ors
Dim sProperties
Dim i
Dim arr
on error resume next 'for testing only to trap the error
'Get the logged on user name
sUser = LCase(Request.ServerVariables("LOGON_USER"))
if Instr(sUser, "\") > 0 then
sUser = Trim(Mid(sUser, Instr(sUser, "\") + 1))
end if
sProperties = "memberof" 'comma delimited list of fields to return
'get the root data for the connection
Set rootDSE = GetObject("LDAP://RootDSE")
if err.number <> 0 then
response.write "Error getting RootDSE " & err.number & " " &
err.description & " "
response.end
end if
sObjectDN = "LDAP://" & rootDSE.Get("defaultNamingContext")
if err.number <> 0 then
response.write "Error getting default naming context " & err.number &
" " & err.description & " "
response.end
end if
'set up the connection
Set oCon = Server.CreateObject("ADODB.Connection")
oCon.Provider = "ADsDSOObject"
oCon.Open "ADProvider"
if err.number <> 0 then
response.write "Error opening connection " & err.number & " " &
err.description & " "
response.end
end if
'set up the command object
Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oCon
oCmd.CommandText = "<" & sObjectDN &
">;(&(objectCategory=user)(sAMAccountName=" & sUser & "));" &
sProperties
&
";subtree"
set ors = oCmd.execute
if err.number <> 0 then
'****This is where it fails
response.write "Error opening recordset " & err.number & " " &
err.description & " "
response.end
end if
if isarray(ors.fields(0).value) then
if err.number <> 0 then
response.write "Error testing for members array " & err.number &
" " & err.description & " "
response.end
end if
arr = ors.fields(0).value
for i = 0 to ubound(arr)
response.write arr(i)
next
end if
%>