Liontv
asked on
error 80070035 GetObject
Hi
Since a domain crash and subsequent rebuild access to our intranet only works by setting authentication to basic and prompting for domain\username and password. It was set to windows aurthentication the IIS box is Win2k and IIS5 it is a member server in a w2k3 domain.
There error is error '80070035' no such path it is from this line:-
Set objUser = GetObject("WinNT://" & sdomain & "/" & sUser)
The full Global.asa is below , any help would be appreciated I have built a second win 2k web server and I still get the same problem , Is this something to do with rights to the ADSI is this something I need to turn on in AD or on the domain controllers ? Even the domain admin the get's the same error
Any help would be appreciated
Regards
Gazman
<!-- METADATA
TYPE="typelib"
FILE="C:\Program Files\Common Files\System\ADO\msado20.t lb"
-->
<Script Language="VBScript" Runat="server">
Sub Application_OnStart
' Set our user count to 0 when we start the server
Application("ActiveUsers") = 0
End Sub
Sub Session_OnStart
' Change Session Timeout to 20 minutes (if you need to)
Session.Timeout = 10
' Set a Session Start Time
' This is only important to assure we start a session
Session("Start") = Now
' Increase the active visitors count when we start the session
Application.Lock
Application("ActiveUsers") = Application("ActiveUsers") + 1
Application.UnLock
'--------- Get user ID & set date/format to UK
DIM LogUser, slp
LogUser = Request.ServerVariables ("Logon_User")
slp = InStr (LogUser,"\")
Session("WhoAmI") = Mid(LogUser, slp+1) 'user name
Session.LCID = 2057 'UK date
'--------- Get Full Name & First Name
DIM sFullUser, iPos, sDomain, sUser, objUser, PreFirstName, varFullName
sFullUser = trim(Request.ServerVariabl es ("LOGON_USER"))
if len(sFullUser) = 0 then
Response.Write "."
Response.End
End if
iPos = InStr(sFullUser, "\")
sDomain = Left(sFullUser, iPos - 1)
sUser = Mid(sFullUser, iPos + 1)
Set objUser = GetObject("WinNT://" & sDomain & "/" & sUser)
Session("FullName") = objUser.Fullname
varFullName = objUser.Fullname
PreFirstName = Instr(varFullName, " ")
Session("FirstName") = Trim(Left(varFullName, PreFirstName))
End Sub
Sub Session_OnEnd
' Decrease the active visitors count when the session ends.
Application.Lock
Application("ActiveUsers") = Application("ActiveUsers") - 1
Application.UnLock
End Sub
</script>
Since a domain crash and subsequent rebuild access to our intranet only works by setting authentication to basic and prompting for domain\username and password. It was set to windows aurthentication the IIS box is Win2k and IIS5 it is a member server in a w2k3 domain.
There error is error '80070035' no such path it is from this line:-
Set objUser = GetObject("WinNT://" & sdomain & "/" & sUser)
The full Global.asa is below , any help would be appreciated I have built a second win 2k web server and I still get the same problem , Is this something to do with rights to the ADSI is this something I need to turn on in AD or on the domain controllers ? Even the domain admin the get's the same error
Any help would be appreciated
Regards
Gazman
<!-- METADATA
TYPE="typelib"
FILE="C:\Program Files\Common Files\System\ADO\msado20.t
-->
<Script Language="VBScript" Runat="server">
Sub Application_OnStart
' Set our user count to 0 when we start the server
Application("ActiveUsers")
End Sub
Sub Session_OnStart
' Change Session Timeout to 20 minutes (if you need to)
Session.Timeout = 10
' Set a Session Start Time
' This is only important to assure we start a session
Session("Start") = Now
' Increase the active visitors count when we start the session
Application.Lock
Application("ActiveUsers")
Application.UnLock
'--------- Get user ID & set date/format to UK
DIM LogUser, slp
LogUser = Request.ServerVariables ("Logon_User")
slp = InStr (LogUser,"\")
Session("WhoAmI") = Mid(LogUser, slp+1) 'user name
Session.LCID = 2057 'UK date
'--------- Get Full Name & First Name
DIM sFullUser, iPos, sDomain, sUser, objUser, PreFirstName, varFullName
sFullUser = trim(Request.ServerVariabl
if len(sFullUser) = 0 then
Response.Write "."
Response.End
End if
iPos = InStr(sFullUser, "\")
sDomain = Left(sFullUser, iPos - 1)
sUser = Mid(sFullUser, iPos + 1)
Set objUser = GetObject("WinNT://" & sDomain & "/" & sUser)
Session("FullName") = objUser.Fullname
varFullName = objUser.Fullname
PreFirstName = Instr(varFullName, " ")
Session("FirstName") = Trim(Left(varFullName, PreFirstName))
End Sub
Sub Session_OnEnd
' Decrease the active visitors count when the session ends.
Application.Lock
Application("ActiveUsers")
Application.UnLock
End Sub
</script>
ASKER
Thanks I tried this and the values are correct , I have also tried entering these entries manually into to the Set objUser = GetObject("WinNT://" & sDomain & "/" & sUser) but I still get the same error
I believe it may that I don't have rthe rights to make the ADSI query could this be the case ?
I believe it may that I don't have rthe rights to make the ADSI query could this be the case ?
Hi - If you are going to query a domain, then you will need to change the IIS user account the page is running under to an active domain account. It could be when you lost the domain, this link was broken. The IUSR_ account on your server will not have permissions to query it so ask your admin to either create you an account or re-enter the user/password if you already had that link in place and it should then be sorted.
Simon
Simon
ASKER
Sound's great Simon I think I am finally on the right track !
Where do I change this though is this the anonymous user account setting in the directory security properties or is it somewhere else I did try this and it did not seem to work. I am the admin so I will test with the domain admin and then create an account for this purpose once I get it working
Gazman
Where do I change this though is this the anonymous user account setting in the directory security properties or is it somewhere else I did try this and it did not seem to work. I am the admin so I will test with the domain admin and then create an account for this purpose once I get it working
Gazman
Liontv,
I agree with Simon - that would have been my next suggestion in fact! To change the account which the page is running with go into the IIS admin tool on the server - expand your website - find your asp page - right click it and go to properties - if memory serves right choose the security tab - change the account that is being used for anonymous access to be domain\adminaccount - confirm the password twice - make sure basic & integrated authentication are unticked and anonymous is ticked - this makes sure that the page will run under the anonymous account which you have specified as your admin account. Start and restart IIS and try again - let me know the outcome!!
I agree with Simon - that would have been my next suggestion in fact! To change the account which the page is running with go into the IIS admin tool on the server - expand your website - find your asp page - right click it and go to properties - if memory serves right choose the security tab - change the account that is being used for anonymous access to be domain\adminaccount - confirm the password twice - make sure basic & integrated authentication are unticked and anonymous is ticked - this makes sure that the page will run under the anonymous account which you have specified as your admin account. Start and restart IIS and try again - let me know the outcome!!
Thanks Novo, I didn't have IIS in front of me at the time to point the right path but I had a similar problem about 18 months ago when I wrote some admin pages for enabling users to use MS Live Comms Server, and the NT Support team didn't want to give the front line helpdesk access at that level to AD admin programs so we created a special user in the AD with just the right permissions and it worked treat...
Simon
Simon
ASKER
Thanks guys , The plot thickens
The original error occurs when I try to use Windows Authentication if I switch to anonymous with the IUSR or the Admin account the error goes away and a full stop appears in the top right corner. Im not sure which page I am at as it does not show up in the address bar but if I view the source I get the below.
The only way I can get the site to work is if I use basic authentication and users log in manually.
If you use windows authentication is the iUSR account still used to run the script and is this set somewhere else can this be changed ?
regards
Gazman
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Lion Online - Lion Television's Intranet</title>
<link rel="stylesheet" type="text/css" href="/lion_main.css">
<!-- Important information redirect page -->
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" summary="" width="100%" height="100%">
<!-- Top Border -->
<tr valign="top" height="1">
<td colspan="4">.
The original error occurs when I try to use Windows Authentication if I switch to anonymous with the IUSR or the Admin account the error goes away and a full stop appears in the top right corner. Im not sure which page I am at as it does not show up in the address bar but if I view the source I get the below.
The only way I can get the site to work is if I use basic authentication and users log in manually.
If you use windows authentication is the iUSR account still used to run the script and is this set somewhere else can this be changed ?
regards
Gazman
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Lion Online - Lion Television's Intranet</title>
<link rel="stylesheet" type="text/css" href="/lion_main.css">
<!-- Important information redirect page -->
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" summary="" width="100%" height="100%">
<!-- Top Border -->
<tr valign="top" height="1">
<td colspan="4">.
Hmmm thinking about this - if the page is running under anonymous access then you are not going to get the other variables that you need such as the username as it will come up as domain\anonymous_user.
So your site is running with windows authentication right?? Im confused now as to what is running and with what credentials!?
So your site is running with windows authentication right?? Im confused now as to what is running and with what credentials!?
ASKER
The site will run with basic authentication but then you are prompted for domain\user & password. This is how the live site is running but users are complaining and I would like to fix it. I want to move it to a new server which I have built and have a copy running the problem is duplicated so I am keen to fix it prior to me moving the users over.
If I set it to windows authentication I get the error '80070035' accessing the site logged on with the domain admin rights.
For the momnent everyone has full ntfs right to the web folders on the server.
If I set it to anonymous users I get the blank page as described in my last post.
Ideally I would like it to run with windows authentication
Thanks
Gazman
If I set it to windows authentication I get the error '80070035' accessing the site logged on with the domain admin rights.
For the momnent everyone has full ntfs right to the web folders on the server.
If I set it to anonymous users I get the blank page as described in my last post.
Ideally I would like it to run with windows authentication
Thanks
Gazman
Sorry its been a while since I replied.
OK so lets start again - set IIS to use integrated authentication - untick the anonymous access and the basic authentication - put on error resume next in your code just before the line that gives you an error - this should at least get your site running even though you may not be detecting the users full name. I think its a better idea to play around with a seperate asp page to troubleshoot rather than global.asa which could affect the whole of your site.
Create a seperate asp page in the root of your web and put the following code:
<%
strDomain = "yourdomain"
struser = "yourusername"
Dim User
Set User = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
Response.write User.Fullname
%>
Let me know what happens.
OK so lets start again - set IIS to use integrated authentication - untick the anonymous access and the basic authentication - put on error resume next in your code just before the line that gives you an error - this should at least get your site running even though you may not be detecting the users full name. I think its a better idea to play around with a seperate asp page to troubleshoot rather than global.asa which could affect the whole of your site.
Create a seperate asp page in the root of your web and put the following code:
<%
strDomain = "yourdomain"
struser = "yourusername"
Dim User
Set User = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
Response.write User.Fullname
%>
Let me know what happens.
ASKER
Thanks
I tried the error resume next and this just caused the user to be prompted for their credentials.
I have run your script as suggested and got the following error
Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/gazman.asp, line 6
regards
Gary
I tried the error resume next and this just caused the user to be prompted for their credentials.
I have run your script as suggested and got the following error
Microsoft VBScript runtime error '800a0046'
Permission denied: 'GetObject'
/gazman.asp, line 6
regards
Gary
I cant understand why you are still being prompted for a username and password - is integrated authentication the only box that is ticked? Are you changing the authentication on the whole site or are you changing it per page?? I think the first thing we need to do is find out why integrated authentication is not working - please check in IIS that the whole site is using integrated authentication - also in IIS right click global.asa and check that as well.
ASKER
Yes integrated authentication is set on the whole site and I checked the global.asa and it is inheriting this also .
OK next step - rename global.asa to global.old - lets see if its something in their that is causing for the username and password
ASKER
Sorry no difference
So its something to do with your site set up - Can you tell me what settings are applied on the "home directory" tab in IIS?
ASKER
It's set as follows
A directory located on this computer
Rights are read, log visits and index this resource ( though selecting all rights makes no difference)
Application Name : Default Application
Execute Permissions : Scripts Only
Application Protection : Medium Pooled
A directory located on this computer
Rights are read, log visits and index this resource ( though selecting all rights makes no difference)
Application Name : Default Application
Execute Permissions : Scripts Only
Application Protection : Medium Pooled
OK - can you also look at the NTFS permissions on the folder that contains your website? Make sure that everyone has at least read & execute rights and make sure the folders below have inherited the correct rights
ASKER
Yes permissions are correct everyone has full rights I will tighten them up once we solve this issue
I sstill think thisis an issue with the user not being able to make requests of ADSI is this something that needs to be turned on at the domain controller have been searching for this but to no avail.
I sstill think thisis an issue with the user not being able to make requests of ADSI is this something that needs to be turned on at the domain controller have been searching for this but to no avail.
But we essentially stopped running the ADSI code - you renamed the global.asa file so that code was not running yet you were still prompted for credentials!?
I'm still keeping an eye on this one... Liontv, when the domain went down was this server specifically dropped from and then re-added to the domain. I've seen cases where domain changes can break the "auto" authentication that happens with IIS only when it's using integrated auth and this is the best method to get it re-established.
Simon.
Simon.
ASKER
yes that's right correct , something I have changed today has started now requesting login credentials under Authenticated login as it was just failing on the getobject request . I will review everything I have done and let you know
ASKER
The domain was recreated and the server was removed and then added to the new domain, that's when the authentication issues started. But I have built a 2nd 2k server from scratch as I thought the original one may have been corrupted by the domain crash. I copied the web site to the new server and same issues apply. So I belived it was a script problem
I have been doing all the testing on this second server which I will make live once we have resolved this then I will decomission the original server
I have been doing all the testing on this second server which I will make live once we have resolved this then I will decomission the original server
I think this is all to do with a trust issue between your server and the DC. Im not a server expert by any means but you are having 2 problems both of which are security related - 1. You logged on credentials are not being passed through and 2. You are getting a permission denied error when running your ADSI code. Are you testing this page actually from the webserver itself?? If so I would suggest testing it from a client as a standard user.
Check on a client machine - is your intranet a trusted zone?
Novo - I agree, there is defiantly a trust issue here somewhere, it could be that the client machines need to be removed and added back to the domain as well as the server.
Liontv - You will also have to make sure the address is in local intranet and trusted sites at least I beleive as well.
Simon
Liontv - You will also have to make sure the address is in local intranet and trusted sites at least I beleive as well.
Simon
ASKER
Hi Guys
I have been using about 3 different client machines all users with domain admin access and also a citrix session , also the server produces the same result.
The address is in the local intranet and trusetd site section of IE
regards
Gary
I have been using about 3 different client machines all users with domain admin access and also a citrix session , also the server produces the same result.
The address is in the local intranet and trusetd site section of IE
regards
Gary
Are you accessing the site from within the citrix session?
ASKER
The only way I can get the site to work is if I use basic authentication and users log in manually.
This is the case from a citrix session, a PC on the domain and the Server itself, Therfore I do not believe this to be a client problem but a server issue and it's rights to access ADSI.
Is this a known issue with a windows 200 member server querying a windows 2003 domain ?
When this worked it was in an upgraded 2000 to 2003 domain , now we are on a 2003 domain created from scratch.
regards
Gary
This is the case from a citrix session, a PC on the domain and the Server itself, Therfore I do not believe this to be a client problem but a server issue and it's rights to access ADSI.
Is this a known issue with a windows 200 member server querying a windows 2003 domain ?
When this worked it was in an upgraded 2000 to 2003 domain , now we are on a 2003 domain created from scratch.
regards
Gary
OK, I think we might have to go deep here to see what is going on with the http headers. In particular we need to look at what is happening to the NTLM requests. To do this would will need to get hold of fiddler, and set it up to proxy your requests to the site.
www.fiddlertool.com
Simon
www.fiddlertool.com
Simon
ASKER
Thanks Steve
For what it's worth I have now hosted this on a 2003 server with IIS6 and I still get the same issue.
I will download the fidlertool and let you know
regards
Gary
For what it's worth I have now hosted this on a 2003 server with IIS6 and I still get the same issue.
I will download the fidlertool and let you know
regards
Gary
ASKER
Hi Guys
I have now worked out some of this problem thanks to your help. Turns out that with anonymous and windows authentication on and the anonymous user a domain admin the get object does work ok but the sript is falling over somewhere else. Fidler helped point me in the right direction.
This part of the global.asa script is returning "." because the result of trim(Request.ServerVariabl es ("LOGON_USER")) is blank any reason ? I have tried removing this part of the script but it is used further on.
I tried manually setting the value but I am not sure what it will be
'--------- Get Full Name & First Name
DIM sFullUser, iPos, sDomain, sUser, objUser, PreFirstName, varFullName
sFullUser = trim(Request.ServerVariabl es ("LOGON_USER"))
if len(sFullUser) = 0 then
Response.Write "."
Response.End
End if
I have now worked out some of this problem thanks to your help. Turns out that with anonymous and windows authentication on and the anonymous user a domain admin the get object does work ok but the sript is falling over somewhere else. Fidler helped point me in the right direction.
This part of the global.asa script is returning "." because the result of trim(Request.ServerVariabl
I tried manually setting the value but I am not sure what it will be
'--------- Get Full Name & First Name
DIM sFullUser, iPos, sDomain, sUser, objUser, PreFirstName, varFullName
sFullUser = trim(Request.ServerVariabl
if len(sFullUser) = 0 then
Response.Write "."
Response.End
End if
Basically that means the server doesn't know who the person is as they have not been authenticated... Kinda the same issue as the getobject failing really.
Simon.
Simon.
ASKER
My findings are now
(Request.ServerVariables ("LOGON_USER")) - this will return an nul value if used with anonymous access (http://support.microsoft.com/kb/q188717/) so set authentication to Integrated Windows only and GetObject("WinNT://" & strDomain & "/" & strUser & ",user") fails if you do not have anonymous access with Permission denied: 'GetObject'
(Request.ServerVariables ("LOGON_USER")) - this will return an nul value if used with anonymous access (http://support.microsoft.com/kb/q188717/) so set authentication to Integrated Windows only and GetObject("WinNT://" & strDomain & "/" & strUser & ",user") fails if you do not have anonymous access with Permission denied: 'GetObject'
Try using Comment from NovoNordisk
Request.ServerVariables ("REMOTE_USER")
Request.ServerVariables ("REMOTE_USER")
oops - not sure how Comment from NovoNordisk got there!!!
Hi sorry Ive been away hence the late reply!! Can I just ask - is the client and/or server in the same domain as your domain controller?
ASKER
yes the client and server are only in one domain there is only 1 domain
Request.ServerVariables ("REMOTE_USER") returns nul
is there another way to find the user name or can you switch authentication modes ?
Request.ServerVariables ("REMOTE_USER") returns nul
is there another way to find the user name or can you switch authentication modes ?
Not really, If I read this right, you are now in the position where you can switch on NT auth (only) and get the domain/user name in one dir and read this with REMOTE_USER/AUTH_USER?
In another dir, with anonymous on, but with a domain account assigned as the "executor", you can use GetObject?
If this is the case, then this is as far as you can get, and what you then need to do is transfer the data between the two using a session var. This is how we built our company wide sign on as you can't use both methods in the same "page" ... maybe even folder. Well, saying you can't - I never got them to work in the same page/folder and I tried for months and even a microsoft premier support call couldn't get a resolution.
Simon.
In another dir, with anonymous on, but with a domain account assigned as the "executor", you can use GetObject?
If this is the case, then this is as far as you can get, and what you then need to do is transfer the data between the two using a session var. This is how we built our company wide sign on as you can't use both methods in the same "page" ... maybe even folder. Well, saying you can't - I never got them to work in the same page/folder and I tried for months and even a microsoft premier support call couldn't get a resolution.
Simon.
ASKER
Yes
(Request.ServerVariables ("LOGON_USER")) - only works with Integrated Windows authentication
GetObject("WinNT://" & strDomain & "/" & strUser & ",user") only works with anonymous access
So I need to run these commands on different pages in different folders and different sites ? and pass the logon name with a session variable is that correct ?
I am new to ASP as I am a Net Admin so any help pointing me to references on the seesion variable will help.
Sorry last time I did some heavy coding was dbase IV !!
regards
Gary
(Request.ServerVariables ("LOGON_USER")) - only works with Integrated Windows authentication
GetObject("WinNT://" & strDomain & "/" & strUser & ",user") only works with anonymous access
So I need to run these commands on different pages in different folders and different sites ? and pass the logon name with a session variable is that correct ?
I am new to ASP as I am a Net Admin so any help pointing me to references on the seesion variable will help.
Sorry last time I did some heavy coding was dbase IV !!
regards
Gary
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I thought this was solved - Novo and I spent quite some time on this... 50/50 pt split?
SimonBlake, maybe i am just flat out missing it, but i dont see any resolution above. can you point it out to me?
Comment from Liontv
Date: 06/13/2006 09:54AM BST
shows that getobject works, further advise supplied on how to use it with server.variable from there on. I'm not that worried about the ptss tho but can't speak for NovoNordisk!!!!
Date: 06/13/2006 09:54AM BST
shows that getobject works, further advise supplied on how to use it with server.variable from there on. I'm not that worried about the ptss tho but can't speak for NovoNordisk!!!!
ASKER
I'm happy that this was solved with the last comment
Im happy with whatever is decided
>>I'm happy that this was solved with the last comment
please take action and accept the answer(s) that helped you.
please take action and accept the answer(s) that helped you.
response.write "sDomain: " &sDomain
response.write "<br>sUser: " &sUser
response.end
If the values are incorrect or empty then that explains your error message.