[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3678
  • Last Modified:

error 80070035 GetObject

Hi

Since a domain crash and subsequent rebuild access to our intranet only works by setting authentication to basic and prompting for domain\username and password. It was set to windows aurthentication the IIS box is Win2k and IIS5 it is a member server in a w2k3 domain.

There error is error '80070035' no such path it is from this line:-

Set objUser = GetObject("WinNT://" & sdomain & "/" & sUser)

The full Global.asa is below , any help would be appreciated I have built a second win 2k web server and I still get the same problem , Is this something to do with rights to the ADSI is this something I need to turn on in AD or on the domain controllers ? Even the domain admin the get's the same error


Any help would be appreciated

Regards

Gazman


<!-- METADATA

TYPE="typelib"

FILE="C:\Program Files\Common Files\System\ADO\msado20.tlb"

-->

<Script Language="VBScript" Runat="server">

Sub Application_OnStart

' Set our user count to 0 when we start the server

Application("ActiveUsers") = 0

End Sub

Sub Session_OnStart

' Change Session Timeout to 20 minutes (if you need to)

Session.Timeout = 10

' Set a Session Start Time

' This is only important to assure we start a session

Session("Start") = Now

' Increase the active visitors count when we start the session

Application.Lock

Application("ActiveUsers") = Application("ActiveUsers") + 1

Application.UnLock

'--------- Get user ID & set date/format to UK

DIM LogUser, slp

LogUser = Request.ServerVariables ("Logon_User")

slp = InStr (LogUser,"\")

Session("WhoAmI") = Mid(LogUser, slp+1) 'user name

Session.LCID = 2057 'UK date

'--------- Get Full Name & First Name

DIM sFullUser, iPos, sDomain, sUser, objUser, PreFirstName, varFullName

sFullUser = trim(Request.ServerVariables ("LOGON_USER"))

if len(sFullUser) = 0 then

Response.Write "."

Response.End

End if

iPos = InStr(sFullUser, "\")

sDomain = Left(sFullUser, iPos - 1)

sUser = Mid(sFullUser, iPos + 1)

Set objUser = GetObject("WinNT://" & sDomain & "/" & sUser)

Session("FullName") = objUser.Fullname

varFullName = objUser.Fullname

PreFirstName = Instr(varFullName, " ")

Session("FirstName") = Trim(Left(varFullName, PreFirstName))

End Sub

Sub Session_OnEnd

' Decrease the active visitors count when the session ends.

Application.Lock

Application("ActiveUsers") = Application("ActiveUsers") - 1

Application.UnLock

End Sub

</script>
0
Liontv
Asked:
Liontv
  • 19
  • 17
  • 10
  • +1
2 Solutions
 
NovoNordiskCommented:
Do a response.write for sdomain and sUser so that you can see if the values are correct:

response.write "sDomain: " &sDomain
response.write "<br>sUser: " &sUser
response.end

If the values are incorrect or empty then that explains your error message.
0
 
LiontvAuthor Commented:
Thanks I tried this and the values are correct , I have also tried entering these entries manually into to the Set objUser = GetObject("WinNT://" & sDomain & "/" & sUser) but I still get the same error

I believe it may that I don't have rthe rights to make the ADSI query could this be the case ?
0
 
SimonBlakeCommented:
Hi - If you are going to query a domain, then you will need to change the IIS user account the page is running under to an active domain account. It could be when you lost the domain, this link was broken. The IUSR_ account on your server will not have permissions to query it so ask your admin to either create you an account or re-enter the user/password if you already had that link in place and it should then be sorted.

Simon
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LiontvAuthor Commented:
Sound's great Simon I think I am finally on the right track !

Where do I change this though is this the anonymous user account setting in the directory security properties  or is it somewhere else I did try this and it did not seem to work.  I am the admin so I will test with the domain admin and then create an account for this purpose once I get it working

Gazman
0
 
NovoNordiskCommented:
Liontv,

I agree with Simon - that would have been my next suggestion in fact!  To change the account which the page is running with go into the IIS admin tool on the server - expand your website - find your asp page - right click it and go to properties - if memory serves right choose the security tab - change the account that is being used for anonymous access to be domain\adminaccount - confirm the password twice - make sure basic & integrated authentication are unticked and anonymous is ticked - this makes sure that the page will run under the anonymous account which you have specified as your admin account.  Start and restart IIS and try again - let me know the outcome!!
0
 
SimonBlakeCommented:
Thanks Novo, I didn't have IIS in front of me at the time to point the right path but I had a similar problem about 18 months ago when I wrote some admin pages for enabling users to use MS Live Comms Server, and the NT Support team didn't want to give the front line helpdesk access at that level to AD admin programs so we created a special user in the AD with just the right permissions and it worked  treat...

Simon
0
 
LiontvAuthor Commented:
Thanks guys , The plot thickens

The original error occurs when I try to use Windows Authentication if I switch to anonymous with the IUSR or the Admin account the error goes away and a full stop appears in the top right corner. Im not sure which page I am at as it does not show up in the address bar but if I view the source I get the below.

The only way I can get the site to work is if I use basic authentication and users log in manually.

If you use windows authentication is the iUSR account still used to run the script and is this set somewhere else can this be changed ?

regards

Gazman

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Lion Online - Lion Television's Intranet</title>
<link rel="stylesheet" type="text/css" href="/lion_main.css">
<!-- Important information redirect page -->



</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" summary="" width="100%" height="100%">
<!-- Top Border -->
  <tr valign="top" height="1">
        <td colspan="4">.
0
 
NovoNordiskCommented:
Hmmm thinking about this - if the page is running under anonymous access then you are not going to get the other variables that you need such as the username as it will come up as domain\anonymous_user.

So your site is running with windows authentication right?? Im confused now as to what is running and with what credentials!?
0
 
LiontvAuthor Commented:
The site will run with basic authentication but then you are prompted for domain\user & password.  This is how the live site is running but users are complaining and I would like to fix it. I want to move it to a new server which I have built and have a copy running the problem is  duplicated so I am keen to fix it prior to me moving the users over.

If I set it to windows authentication I get the error '80070035' accessing the site logged on with the domain admin rights.

For the momnent everyone has full ntfs right to the web folders on the server.

If I set it to anonymous users I get the blank page as described in my last post.

Ideally I would like it to run with windows authentication


Thanks

Gazman




0
 
NovoNordiskCommented:
Sorry its been a while since I replied.

OK so lets start again - set IIS to use integrated authentication - untick the anonymous access and the basic authentication - put on error resume next in your code just before the line that gives you an error - this should at least get your site running even though you may not be detecting the users full name.  I think its a better idea to play around with a seperate asp page to troubleshoot rather than global.asa which could affect the whole of your site.  

Create a seperate asp page in the root of your web and put the following code:

<%
   
strDomain = "yourdomain"
struser = "yourusername"
Dim User
Set User = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
Response.write User.Fullname

%>

Let me know what happens.
0
 
LiontvAuthor Commented:
Thanks

I tried the error resume next and this just caused the user to be prompted for their credentials.

I have run your script as suggested and got the following error

Microsoft VBScript runtime error '800a0046'

Permission denied: 'GetObject'

/gazman.asp, line 6


regards


Gary

0
 
NovoNordiskCommented:
I cant understand why you are still being prompted for a username and password - is integrated authentication the only box that is ticked?  Are you changing the authentication on the whole site or are you changing it per page??  I think the first thing we need to do is find out why integrated authentication is not working - please check in IIS that the whole site is using integrated authentication - also in IIS right click global.asa and check that as well.
0
 
LiontvAuthor Commented:
Yes integrated authentication is set on the whole site and I checked the global.asa and it is inheriting this also .

0
 
NovoNordiskCommented:
OK next step - rename global.asa to global.old - lets see if its something in their that is causing for the username and password
0
 
LiontvAuthor Commented:
Sorry no difference
0
 
NovoNordiskCommented:
So its something to do with your site set up - Can you tell me what settings are applied on the "home directory" tab in IIS?
0
 
LiontvAuthor Commented:
It's set as follows

A directory located on this computer

Rights are read, log visits and index this resource ( though selecting all rights makes no difference)

Application Name : Default Application

Execute Permissions : Scripts Only

Application Protection : Medium Pooled


0
 
NovoNordiskCommented:
OK - can you also look at the NTFS permissions on the folder that contains your website?  Make sure that everyone has at least read & execute rights and make sure the folders below have inherited the correct rights
0
 
LiontvAuthor Commented:
Yes permissions are correct everyone has full rights I will tighten them up once we solve this issue

I sstill think thisis an issue with the user not being able to make requests of ADSI is this something that needs to be turned on at the domain controller have been searching for this but to no avail.

0
 
NovoNordiskCommented:
But we essentially stopped running the ADSI code - you renamed the global.asa file so that code was not running yet you were still prompted for credentials!?
0
 
SimonBlakeCommented:
I'm still keeping an eye on this one... Liontv, when the domain went down was this server specifically dropped from and then re-added to the domain. I've seen cases where domain changes can break the "auto" authentication that happens with IIS only when it's using integrated auth and this is the best method to get it re-established.

Simon.
0
 
LiontvAuthor Commented:
yes that's right correct , something I  have changed today has started now requesting login credentials under Authenticated login as it was just failing on the getobject request . I will review everything I have done and let you know

0
 
LiontvAuthor Commented:
The domain was recreated and the server was removed and then added to the new domain, that's when the authentication issues started. But I have built a 2nd 2k server from scratch as I thought the original one may have been corrupted by the domain crash. I copied the web site to the new server and same issues apply. So I belived it was a script problem

I have been doing all the testing on this second server which I will make live once we have resolved this then I will decomission the original server
0
 
NovoNordiskCommented:
I think this is all to do with a trust issue between your server and the DC.  Im not a server expert by any means but you are having 2 problems both of which are security related - 1.  You logged on credentials are not being passed through and 2.  You are getting a permission denied error when running your ADSI code.  Are you testing this page actually from the webserver itself??  If so I would suggest testing it from a client as a standard user.
0
 
NovoNordiskCommented:
Check on a client machine - is your intranet a trusted zone?
0
 
SimonBlakeCommented:
Novo - I agree, there is defiantly a trust issue here somewhere, it could be that the client machines need to be removed and added back to the domain as well as the server.

Liontv - You will also have to make sure the address is in local intranet and trusted sites at least I beleive as well.

Simon
0
 
LiontvAuthor Commented:
Hi Guys


I have been using about 3 different client machines all users with domain admin access and also a citrix session , also the server produces the same result.

The address is in the local intranet and trusetd site section of IE

regards


Gary
0
 
NovoNordiskCommented:
Are you accessing the site from within the citrix session?
0
 
LiontvAuthor Commented:
The only way I can get the site to work is if I use basic authentication and users log in manually.

This is the case from a citrix session, a PC on the domain and the Server itself, Therfore I do not believe this to be a client problem but a server issue and it's rights to access ADSI.

Is this a known issue with a windows 200 member server querying a  windows 2003 domain ?

When this worked it was in an upgraded 2000 to 2003 domain , now we are on a 2003 domain created from scratch.

regards

Gary


0
 
SimonBlakeCommented:
OK, I think we might have to go deep here to see what is going on with the http headers. In particular we need to look at what is happening to the NTLM requests. To do this would will need to get hold of fiddler, and set it up to proxy your requests to the site.

www.fiddlertool.com

Simon
0
 
LiontvAuthor Commented:
Thanks Steve

For what it's worth I have now hosted this on a 2003 server with IIS6 and I still get the same issue.

I will download the fidlertool and let you know

regards

Gary
0
 
LiontvAuthor Commented:
Hi Guys

I have now worked out some of this problem thanks to your help. Turns out that with anonymous and windows authentication on and the anonymous user a domain admin the get object does work ok but the sript is falling over somewhere else. Fidler helped point me in the right direction.

This part of the global.asa script is returning "."  because the result of  trim(Request.ServerVariables ("LOGON_USER")) is blank any reason ?  I have tried removing this part of the script but it is used further on.

I tried manually setting the value but I am not sure what it will be

'--------- Get Full Name & First Name

DIM sFullUser, iPos, sDomain, sUser, objUser, PreFirstName, varFullName

sFullUser = trim(Request.ServerVariables ("LOGON_USER"))

if len(sFullUser) = 0 then

Response.Write "."

Response.End

End if

0
 
SimonBlakeCommented:
Basically that means the server doesn't know who the person is as they have not been authenticated... Kinda the same issue as the getobject failing really.

Simon.
0
 
LiontvAuthor Commented:
My findings are now

(Request.ServerVariables ("LOGON_USER")) - this will return an nul value if used with anonymous access (http://support.microsoft.com/kb/q188717/)   so set authentication to Integrated Windows only and GetObject("WinNT://" & strDomain & "/" & strUser & ",user") fails if you do not have anonymous access with Permission denied: 'GetObject'




 

0
 
NovoNordiskCommented:
Try using  Comment from NovoNordisk

Request.ServerVariables ("REMOTE_USER")
 
0
 
NovoNordiskCommented:
oops - not sure how Comment from NovoNordisk  got there!!!
0
 
NovoNordiskCommented:
Hi sorry Ive been away hence the late reply!!  Can I just ask - is the client and/or server in the same domain as your domain controller?
0
 
LiontvAuthor Commented:
yes the client and server are only in one  domain there is only 1 domain

Request.ServerVariables ("REMOTE_USER") returns nul

is there another way to find the user name or can you switch authentication modes ?


0
 
SimonBlakeCommented:
Not really, If I read this right, you are now in the position where you can switch on NT auth (only) and get the domain/user name in one dir and read this with REMOTE_USER/AUTH_USER?

In another dir, with anonymous on, but with a domain account assigned as the "executor", you can use GetObject?

If this is the case, then this is as far as you can get, and what you then need to do is transfer the data between the two using a session var. This is how we built our company wide sign on as you can't use both methods in the same "page" ... maybe even folder. Well, saying you can't - I never got them to work in the same page/folder and I tried for months and even a microsoft premier support call couldn't get a resolution.

Simon.
0
 
LiontvAuthor Commented:
Yes

(Request.ServerVariables ("LOGON_USER")) - only works with Integrated Windows authentication


GetObject("WinNT://" & strDomain & "/" & strUser & ",user") only works with anonymous access


So I need to run these commands on different pages in different folders and different sites ? and pass the logon name with a session variable is that correct ?

I am new to ASP as I am a Net Admin so any help pointing me to references on the seesion variable will help.
Sorry last time I did some heavy coding was dbase IV !!

regards

Gary





0
 
SimonBlakeCommented:
You don't need them in separate sites, only separate pages (maybe folders)

In the first page, use something like
<%
If Request.ServerVariables ("LOGON_USER") <> "" Then
    Session("UserID") = Request.ServerVariables ("LOGON_USER")
    Response.Redirect("/MyOtherFolder/GetObjectDetails.asp")
Else
    ' Unknown user...
End If
%>



GetObjectDetails.asp
<%
Dim objSomething, userID
userID = Replace(Session("UserID"), "\", "/")
objSomething = GetObject("WinNT://"  userID & ",user")
%>


Simon.
0
 
NovoNordiskCommented:
But dont forget that GetObjectDetails.asp will need to run with admin credentials to be able to interogate the AD.  Set this page only to anon access but set the anon access account to be a "limited" admin account...
0
 
SimonBlakeCommented:
I thought this was solved - Novo and I spent quite some time on this... 50/50 pt split?
0
 
WMIFCommented:
SimonBlake, maybe i am just flat out missing it, but i dont see any resolution above.  can you point it out to me?
0
 
SimonBlakeCommented:
Comment from Liontv
Date: 06/13/2006 09:54AM BST

shows that getobject works, further advise supplied on how to use it with server.variable from there on. I'm not that worried about the ptss tho but can't speak for NovoNordisk!!!!
0
 
LiontvAuthor Commented:
I'm happy that this was solved with the last comment
0
 
NovoNordiskCommented:
Im happy with whatever is decided
0
 
WMIFCommented:
>>I'm happy that this was solved with the last comment

please take action and accept the answer(s) that helped you.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 19
  • 17
  • 10
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now