ADsDSOObject - Provider error '80040e37'

When I try to do an AD lookup I get the error:

Provider error '80040e37'
Table does not exist.

If I access the page from the server it works just fine, but if I access it from a client computer it does not work.  I have tried accessing it as both administrator and a regular user from both the server and the client computer.  I move the script to another server and it works like it is supposed to.  Is there some policy somewhere that would block remote sessions from this?  I have provided some of the code snippets that are relevant the page is over 500 lines of code so I am condensing.

' First, need to discover the local global catalog server
Set objADsRootDSE = GetObject("LDAP://RootDSE")

' Form an ADsPath string to the DN of the root of the Active Directory forest
strADsPath = "LDAP://" & objADsRootDSE.Get("DefaultNamingContext")

' Wrap the ADsPath with angle brackets to form the base string
strBase = "<" & strADsPath & ">"
' Release the ADSI object, no longer needed
Set objADsRootDSE = Nothing
'  Specify the LDAP filter First, indicate the category of objects to
' be searched (all people, not just users)
strObjects = "(objectCategory=person)"

' Strip the domain part
strName = Right(Request.ServerVariables("AUTH_USER"), Len(Request.ServerVariables("AUTH_USER")) - InSt(Request.ServerVariables("AUTH_USER"), "\"))

' Add the two filters together
strFilter = "(&" & strObjects & "sAMAccountName=" & strName & ")"

'  Set the attributes we want the recordset to contain.  We're interested in
' the common name and telephone number
strAttributes = "cn, adspath"

' Specify the scope (base, onelevel, subtree)
strScope = "subtree"

' Create ADO connection using the ADSI OLE DB provider
Set cnnADOConnection = Server.CreateObject("ADODB.Connection")
cnnADOConnection.Open "Provider=ADsDSOObject"

' Create ADO commmand object and associate it with the connection
Set cmdADOCommand = Server.CreateObject("ADODB.Command")
cmdADOCommand.ActiveConnection = cnnADOConnection

' Create the command string using the four parts
cmdADOCommand.CommandText = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope

' Execute the query for the user in the directory
Set rstADORecordset = cmdADOCommand.Execute
Who is Participating?
> How do I set the computer for delegation so I can use Integrated Authentication
> and not have to logon every time I hit the site?

Well I think you've isolated the source of your problem, so now for the solution...

I was in your exact situation a few months ago and, despite reading billions of websites and following MS's suggestions, I simply could not get delegation to work. In the end I had to upgrade the IIS machine to become a Domain Controller.

So that's a guaranteed solution, even if it ought not to be necessary.

If that's not possible then you'll have to see if you can configure the servers to use delegation. There are LOTS of websites that cover the basics of delegation but there are a couple of things that I found that aren't covered in as much depth.

Authentication issues when your host header name differs from the servers netbios name:

How to configure a SPN and ensure that your web app is using NTLM:

Various Q and A's when using NTLM:

But, like I said, despite days of mucking around I couldn't get this to work. If you do manage to configure the servers for delegation then I for one would love to hear how you did it, so please post back here.

If you can't get delegation to work then I think that the only option is to make sure the IIS machine is a DC.
If your web application uses Windows Integrated authentication AND your webserver is NOT a domain controller then I suspect that you've encountered the known 'delegation' limitation of Windows Integrated authentication.

For various technical reasons (that I won't bother describing here) IIS is unable to pass on end-user credentials to other machines when using Windows Integrated authentication. In the situation that I describe above (ie. you're using Windows Integrated auth AND the IIS box is not a domain controller) IIS would be unable to access the AD because it must access this on another machine (ie. a domain controller).

But this limitation doesn't exist (again, for technical reasons that I won't go into here) if you access your web app directly on the IIS machine.

You mentioned that your ASP page works when accessing it directly on the server, and this is what made me think that you have a 'delegation' issue.

So my questions are: Are you using Windows Integrated authentication? Is the IIS machine a domain controller?
icfireAuthor Commented:
Yes I am using Windows Integrated Authentication and no the computer is not a DC.  If I switch to basic authentication and put in my logon credentials every time I access the site then it works fine.  How do I set the computer for delegation so I can use Integrated Authentication and not have to logon every time I hit the site?

icfireAuthor Commented:
Sorry about that.  the steps did work, I was just impatient for the changes to get migrated across the domain.  I would make the changes and then try it and expect it to work, when in reality I should have made the changes waited for the domain replication to happen and then tried it.  It was a patience thing for me.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.