[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ADsDSOObject - Provider error '80040e37'

Posted on 2006-04-17
5
Medium Priority
?
12,791 Views
Last Modified: 2010-08-05
When I try to do an AD lookup I get the error:

Provider error '80040e37'
Table does not exist.

If I access the page from the server it works just fine, but if I access it from a client computer it does not work.  I have tried accessing it as both administrator and a regular user from both the server and the client computer.  I move the script to another server and it works like it is supposed to.  Is there some policy somewhere that would block remote sessions from this?  I have provided some of the code snippets that are relevant the page is over 500 lines of code so I am condensing.

' First, need to discover the local global catalog server
Set objADsRootDSE = GetObject("LDAP://RootDSE")

' Form an ADsPath string to the DN of the root of the Active Directory forest
strADsPath = "LDAP://" & objADsRootDSE.Get("DefaultNamingContext")

' Wrap the ADsPath with angle brackets to form the base string
strBase = "<" & strADsPath & ">"
                                                    
' Release the ADSI object, no longer needed
Set objADsRootDSE = Nothing
                                                    
'  Specify the LDAP filter First, indicate the category of objects to
' be searched (all people, not just users)
strObjects = "(objectCategory=person)"

' Strip the domain part
strName = Right(Request.ServerVariables("AUTH_USER"), Len(Request.ServerVariables("AUTH_USER")) - InSt(Request.ServerVariables("AUTH_USER"), "\"))

' Add the two filters together
strFilter = "(&" & strObjects & "sAMAccountName=" & strName & ")"

'  Set the attributes we want the recordset to contain.  We're interested in
' the common name and telephone number
strAttributes = "cn, adspath"

' Specify the scope (base, onelevel, subtree)
strScope = "subtree"

' Create ADO connection using the ADSI OLE DB provider
Set cnnADOConnection = Server.CreateObject("ADODB.Connection")
cnnADOConnection.Open "Provider=ADsDSOObject"

' Create ADO commmand object and associate it with the connection
Set cmdADOCommand = Server.CreateObject("ADODB.Command")
cmdADOCommand.ActiveConnection = cnnADOConnection

' Create the command string using the four parts
cmdADOCommand.CommandText = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope

' Execute the query for the user in the directory
Set rstADORecordset = cmdADOCommand.Execute
0
Comment
Question by:icfire
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:deighc
ID: 16479005
If your web application uses Windows Integrated authentication AND your webserver is NOT a domain controller then I suspect that you've encountered the known 'delegation' limitation of Windows Integrated authentication.

For various technical reasons (that I won't bother describing here) IIS is unable to pass on end-user credentials to other machines when using Windows Integrated authentication. In the situation that I describe above (ie. you're using Windows Integrated auth AND the IIS box is not a domain controller) IIS would be unable to access the AD because it must access this on another machine (ie. a domain controller).

But this limitation doesn't exist (again, for technical reasons that I won't go into here) if you access your web app directly on the IIS machine.

You mentioned that your ASP page works when accessing it directly on the server, and this is what made me think that you have a 'delegation' issue.

So my questions are: Are you using Windows Integrated authentication? Is the IIS machine a domain controller?
0
 
LVL 2

Author Comment

by:icfire
ID: 16489238
Yes I am using Windows Integrated Authentication and no the computer is not a DC.  If I switch to basic authentication and put in my logon credentials every time I access the site then it works fine.  How do I set the computer for delegation so I can use Integrated Authentication and not have to logon every time I hit the site?

0
 
LVL 15

Accepted Solution

by:
deighc earned 2000 total points
ID: 16490061
> How do I set the computer for delegation so I can use Integrated Authentication
> and not have to logon every time I hit the site?

Well I think you've isolated the source of your problem, so now for the solution...

I was in your exact situation a few months ago and, despite reading billions of websites and following MS's suggestions, I simply could not get delegation to work. In the end I had to upgrade the IIS machine to become a Domain Controller.

So that's a guaranteed solution, even if it ought not to be necessary.

If that's not possible then you'll have to see if you can configure the servers to use delegation. There are LOTS of websites that cover the basics of delegation but there are a couple of things that I found that aren't covered in as much depth.

Authentication issues when your host header name differs from the servers netbios name:
http://support.microsoft.com/kb/294382/

How to configure a SPN and ensure that your web app is using NTLM:
http://support.microsoft.com/kb/215383/

Various Q and A's when using NTLM:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/

But, like I said, despite days of mucking around I couldn't get this to work. If you do manage to configure the servers for delegation then I for one would love to hear how you did it, so please post back here.

If you can't get delegation to work then I think that the only option is to make sure the IIS machine is a DC.
0
 
LVL 2

Author Comment

by:icfire
ID: 16708350
Sorry about that.  the steps did work, I was just impatient for the changes to get migrated across the domain.  I would make the changes and then try it and expect it to work, when in reality I should have made the changes waited for the domain replication to happen and then tried it.  It was a patience thing for me.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Screencast - Getting to Know the Pipeline
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question