Troubleshooting a connection to LDAP ... 1

[MojoZig]

I was following zcolton's troubleshooting suggestion in another post, which I respect since you start at square one:

=================This Code Works===========

<%@ Language=VBScript %>
<%
Option Explicit
Dim objADsPath,objDomain, telephonenumber, mail
%>
<html>
<head>
</head>
<body>
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Response.Write objADsPath & "<BR>"

response.write telephonenumber&"<br>"
response.write mail&"<br>"

%>
</body>
</html>

==============End Working Code=============

The working code returns:
DC=Ocalafl,DC=org
Which is our domain information.

But when I try your next step to see if I can query:

==============Code that errors out============

<%@ Language=VBScript %>
<%
Option Explicit
Dim con,rs,Com,objADsPath,objDomain
%>
<html>
<head>
</head>
<body bgcolor="#CCCCCC">
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select department from 'GC://"+objADsPath+"' WHERE department ='*'"
Set rs = Com.Execute

Do While Not rs.EOF Or rs.BOF

Response.Write rs("department") & "<BR>"

rs.MoveNext
Loop
rs.Close

con.Close
Set rs = Nothing
Set con = Nothing
%>
</body>
</html>

============end erroring code===========

I get the error:

=================================
Provider error '80040e37'

Table does not exist.

/phonebook/test3.asp, line 20
=================================


This is on our intranet so it's inside our network. Is it a permissions problem or is there something I'm not doing correctly.

Thank-you,
Tommy Thomas, MCP, Network+, Security+, C|EH
Senior PC/Network Specialist -::- Webmaster
City of Ocala IT Division

 

[zcolton]

MojoZig,

It is a permission problem. Under what credentials are the pages running? I'm guessing the IUSR machine account. You need to run the pages under the credentials of a domain account that has the rights to search active directory. The easiest way to do this (a method I've used myself) is to create a low-security domain account - one that has read access only. In IIS, set the anonymous access to use that account.

zcolton

 

[MojoZig]

I think I put the incorrect code above, just wanted to make sure I had the code correct:
=======working code returns proper info======

<%@ Language=VBScript %>
<%
Option Explicit
Dim objADsPath,objDomain
%>
<html>
<head>
</head>
<body>
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Response.Write objADsPath & "<BR>"
%>
</body>
</html>

==========Non working code that returns error=======

<%@ Language=VBScript %>
<%
Option Explicit
Dim con,rs,Com,objADsPath,objDomain
%>
<html>
<head>
</head>
<body bgcolor="#CCCCCC">
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select department from 'GC://"+objADsPath+"' WHERE department ='*'"
Set rs = Com.Execute

Do While Not rs.EOF Or rs.BOF

Response.Write rs("department") & "<BR>"

rs.MoveNext
Loop
rs.Close

con.Close
Set rs = Nothing
Set con = Nothing
%>
</body>
</html>

This code returns the error:

Provider error '80040e37'
Table does not exist.
/phonebook/test3.asp, line 20

Your thoughts and comments are greatly appreciated CZ!

 

[MojoZig]

Thanks Zac! It works now! Now I can go back and check out some of the other scripts you guys have on here! I appreciate your time!

Tommy

 

[CharleyDC5]

zcolton: Do you mean to set a domain account in the "Anonymous Access" section?

I got the exact same problem, and "Enabled anonymous access" is currently disabled on IIS6.

Thanks for help!

Charles

 

[MojoZig]

Charles,

I created a domain user account in AD, and used the credentials of that user for the Anonymous access section in IIS, instead of the IUSR account since that account has no access to AD. Normal users should have read access to these certain fields by default I believe. (I could be wrong)

Tommy

 

[CharleyDC5]

Okay! So you enabled Anonymous Access in IIS6.0 and you entered DOMAIN\USER with the password.

In the Authenticated access section, do you have some options checked?
On my side, Integrated Windows Authentication is checked.

Thanks for help

 

[MojoZig]

That's correct. My site has the integrated windows authentication checked as well and no others checked there. ) Fun stuff huh?

Talk to you later...

TT

 

[CharleyDC5]

I'm still having the same trouble, even if I am trying with my personal network administrator account, which is a member of the domain.

I've also created a standard user account to give it a test, not working.. same annoying error message.

Do you need to set the password for the FTP service too, and every other places who use IUSR account as default user account?

Thanks

 

[MojoZig]

Don't forget to grant your domain user you are using for the anonymous access the necessary permissions needed to browse the folder structure of your intranet (mine is set to read and list). That one got me when i was doing it. Don't know if that's the problem or not but it was one for me. Other than that my knowledge becomes limited ... )

TT

 

[CharleyDC5]

Where do you grant it? We are using MMC Active Directory Users & Computers to manage users accounts. Do you need to grant permissions through MMC Active Directory Users & Computers, or through IIS6.0?

Is their a batch command to grant some aditional access to a specific user?

Thank you very much

 

[zcolton]

To all having problems:
Let's take it from the top.
What you're trying to accomplish:
Access the web pages that run the AD query with a domain account that can read the AD structure. On a standard setup, every user (in the Domain Users group) has that ability.
How to do it: 3 methods.
1) Enable anonymous access ONLY on the folder that contains these pages and configure IIS to use a domain account instead of the IUSR account. The IUSR account is a machine account, not a domain account. - I use this method.
2)Disable anonymous access and turn on Basic authentication only. This will require a domain user to enter their credentials when they access the pages. You need to make sure that the domain users have read access to that folder (NTFS security).
3)Turn on Integrated Windows authentication and disable all others. This requires the client browser to support Integrated Windows authentication, and it needs to be enabled on the client. AND the windows user needs to be logged into the DOMAIN not the workstation. You need to make sure that the domain users have read access to that folder (NTFS security).

Option 1 is easy to configure and is transparent to the end user.
Option 2 is easy to configure, but it is annoying to log in every time.
Option 3 could be a pain to configure, would not be useful for an Internet site (Intranet only), but it transparent to the user.

I hope this clears up any questions that still might be out there.

zcolton

 

[MojoZig]

Thanks ZC, you rock! For your previous question Charles, I meant to simply set the folder permissions using NT Explorer, actually drill down to the folder where your site's files are and right click it and set NTFA permissions for that domain user account to have access. I don't know if that was the problem or not but it was something I forgot to do when i did it.

TT

 

[zcolton]

Addition:
Modifier NTFS permissions on directories that are used by IIS could cause problems if not done correctly. After all else is configured, see if it works. If an Access Denied page is displayed, then you would need to make the needed changes.

Also, it isn't absolutely necessary to disable all of the authentication methods when you are choosing the one you want to use. IIS will try to use the method that is easiest for it to use. I believe MS had a kb article that listed the order that it will try but I do not remember all the details.

zcolton

 

[CharleyDC5]

zcolton: Option 1 is working! Thanks!

The only issue is: By activating anonymous access to a folder, Request.ServerVariables("REMOTE_USER") is now unavailable because of the anonymous access option.

Is there another way to get the username through ASP?

Thank you very much guys

 

[zcolton]

The only way to get Request.ServerVariables("REMOTE_USER") is to have the user authenticate with their own credentials (basis or integrated)

zcolton

 

[john2288]

I am trying to write a page to allow user to change to LDAP password.

I have managed to get the user information but when I try to create a ldap user object using

set user = getobject("LDAP://" & adspath)

The statement works if I run the asp on the iis server, but when I run the asp on a client PC the statement fails.

I have enabled Windows Authentication and disabled Anonymous Access. I am logged on to the server and the client using the same account.

 

[zcolton]

john2288,
What is the exact error you are getting?

zcolton

 

[john2288]

zcolton,

The error I get is

2147016672 (no description)

It looks like a permissioning/security problem.

 

[zcolton]

john2288,

It is a security problem. Verify the account used to access the page by displaying the Request.ServerVariables("REMOTE_USER") variable

zcolton