?
Solved

LDAP Object works on a workstation but not a server

Posted on 2008-11-03
35
Medium Priority
?
1,065 Views
Last Modified: 2011-09-20
I am trying to access Active Directory via ADSystemInfo and LDAP object in a classic ASP page using VBScript.  It checks the current user accessing the intranet site and pulls information accordingly.  Different pages use different information, and it's not the issue anyways.  I have the following code on my workstation (running IIS5.1 on Windows XP Pro SP2) and on our server (running IIS6.0 and Windows Server 2003 R2).  It works perfect on my workstation with people hitting it from other workstations.  It doesn't work for anyone accessing it on the server.  The code and error is below:

Code:
Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write(AdSysInfo.UserName)
Set CurrentUser = GetObject("LDAP://" & AdSysInfo.UserName)
varstrLogon = CurrentUser.userPrincipalName

Error:
Microsoft VBScript runtime  error '800a01b6'
Object doesn't support this property or method: 'userPrincipalName'


As far as I can tell, IIS is set up identically on both servers, except for the differences with 6.0 and 5.1.  I am using windows authentication and not allowing anonymous login because it's an intranet site.  We have other pages running and they all work.

These lines don't work also(they break with the same error:
Response.Write("sAMAccountName = " & CurrentUser.sAMAccountName & "<br />")
Response.Write("LDAPDisplayName = " & CurrentUser.LDAPDisplayName & "<br />")
Response.Write("DisplayName = " & CurrentUser.DisplayName & "<br />")
Response.Write("AssocNTAccount = " & CurrentUser.AssocNTAccount & "<br />")

These lines don't break, but they don't return any value:
Response.Write("AssociatedName = " & CurrentUser.AssociatedName & "<br />")
Response.Write("AssociatedDomain = " & CurrentUser.AssociatedDomain & "<br />")

Any ideas on what to look for and why it would not work on the server, but works fine on the workstation?
0
Comment
Question by:CCSOFlag
  • 19
  • 10
  • 3
  • +1
34 Comments
 
LVL 7

Expert Comment

by:bluV11t
ID: 22872094
Does it still work if you put your pc on the DMZ?
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22872108
It's all on the same network.  There's no firewall.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22872125
Well, I should clarify there is no firewall within the network.  Outside the network there is.  All these operations are happening within the firewall.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:bluV11t
ID: 22874172
Hi!
Could you check the versions of adsldp.dll on your PC and the server? I think this is the dll for ADSystemInfo.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22876764
PC = v5.1.2600.2180(xpsp_sp2_rtm.040803-2158)
Server = v5.2.3790.1830(srv03_sp1_rtm.050324-1447)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22891783
Try this.

You will need to DIM strCurrentUser, objUser


Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write(AdSysInfo.UserName)
strCurrentUser = AdSysInfo.UserName
objUser = GetObject("LDAP://" & strCurrentUser)
varstrLogon = objUser.userPrincipalName

Open in new window

0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22895617
That doesn't help.  The problem isn't the code.  The problem is for some reason the object isn't recognized on W2003 Server IIS6.0 but it is on Win XP Pro IIS5.1.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22895831
Have you allowed Scripts to run in IIS6?  

Do the right Security Principals have proper rights to read and execute and run scripts through IIS?

0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22895853
yes scripts are allowed rto run.

I'm unfamiliar with Security Principals.  What are those?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22897435
Security Principals are the user account objects in this case.

If scripts are allowed to run, do the users or does the account running the script from IIS have the right permissions to do so in IIS and on the NTFS permissions on the folder hosted in IIS.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22898328
yes, the accounts are all set up the same way under permissions.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22898931
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22898990
the only thing I wasn't sure of was IIS 5.0 isolation mode.  I turned it on though and it still didn't work.  I was actually trying to find some sort of comparison like that, thanks. :)  

This is crazy, I'm really at a loss.  
Are there some sort of automatic permissions granted in XP vs Server 2003 that allow the workstation to access AD but not Server 2003?  Both have Active Directory Admin stuff installed.  Forget what it's called.  In other words I can access Active Directory users and all via GUI from both the Server and my workstation.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22900503
OK, so I have put some code in and it works.  I'm wondering why though because the new code has nothing to do with the code I had before.  Also no where have I read that it requires any sort of login to access AD with ADSystemInfo object.

New Code:
     Set oRootDSE = GetObject("LDAP://RootDSE")      sDomainADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")      Set oRootDSE = Nothing      Set oCon = Server.CreateObject("ADODB.Connection")      sUser = "<login>"      sPassword = "<password>"      oCon.Provider = "ADsDSOObject"      oCon.Open "ADProvider", sUser, sPassword      Set oCmd = Server.CreateObject("ADODB.Command")      Set oCmd.ActiveConnection = oCon      sProperties = "name,ADsPath,description,member"      sGroup = "*"      oCmd.CommandText = "<" & sDomainADsPath & ">;(&(objectCategory=group)(name=" & sGroup & "));" & sProperties & ";subtree"      Set oRecordSet = oCmd.Execute
           
Old Code:
Set ADSysInfo = CreateObject("ADSystemInfo")
Response.Write(AdSysInfo.UserName)
Set CurrentUser = GetObject("LDAP://" & AdSysInfo.UserName)
varstrLogon = CurrentUser.userPrincipalName
My old code doesn't even use a recordset.  So any ideas on why this recordset connection is making this code work?   Is there a login I can use with my code rather than having to use this recordset mumbo jumbo?  It just seems like a bit of excessive code for such a little bit of code I'm trying to use.  

The other thing is I was goofing off in IIS trying to fix this problem, and went into the permissions wizard on my workstation and I'm not even sure what I did, but it changed the permissions and now it's not working on my workstation either unless I have this code.  Any ideas on what permission this would fall under?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22901196
I'm not as strong with IIS as you appear to be, but I'll keep helping by using what I know about server in general - so forgive any weird questions I may ask. :o)

In ADUC, on the properties of the server object is the box checked for Trust for Delegation - I think it probably should be.

Also, if you're using Anonymous web access then you must configure the directory to allow Anonymous queries.  I think the reason it worked on your workstation might have been due to Digest Authentication - which would pass your own credentials to the Directory when you hit the site.

See:  http://support.microsoft.com/kb/320528
0
 
LVL 6

Expert Comment

by:mwhitworth
ID: 22903478
Looks like a permissions issue.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22904877
Netman66, hey I appreciate any help you give.  It's also about getting other ideas and getting pointed in other directions.

I came in to work this morning and discovered something that just throws a wrench into everything.  It didn't work on the server again.  Even WITH the code.  I'm thinking that it may be some sort of connection that gets established and stays connected for a certain amount of time which allows any LDAP queries to go through.  

This code is what I first was goofing off with a long time ago to learn about AD.  Whenever I run this code it works.  It seems once I run this code, it doesn't matter what queries I run they all work.  How long this "connection" lasts I'm not sure.  Here is the code (this is where I got that added code from before:

Dim oRootDSE, oCon, oCmd, oRecordSet
Dim sDomainADsPath, sUser, sPassword, sGroup, sProperties
Dim aDescription, aMember, iCount

Set oRootDSE = GetObject("LDAP://RootDSE")
sDomainADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")
Set oRootDSE = Nothing

Set oCon = Server.CreateObject("ADODB.Connection")
sUser = "summitlan\arobert"
sPassword = "9!!nimdA"

oCon.Provider = "ADsDSOObject"

oCon.Open "ADProvider", sUser, sPassword
Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oCon
sProperties = "name,ADsPath,description,member"
sGroup = "*"

oCmd.CommandText = "<" & sDomainADsPath & ">;(&(objectCategory=group)(name=" & sGroup & "));" & sProperties & ";subtree"
oCmd.Properties("Page Size") = 100

Set oRecordSet = oCmd.Execute

Response.Write("<strong> Global Groups for the domain: " & Replace(Mid(sDomainADsPath,11), ",DC=", ".") & "</strong>")

Response.Write("<table border='1'>")
Response.Write("<tr><th>Name</th><th>ADsPath</th><th>Description</th><th>Members</th></tr>")
Response.Write("<font size=-2>")
While Not oRecordSet.EOF
    Response.Write("<tr><td>" & oRecordSet.Fields("name") & "</td>")
    Response.Write("<td>" & oRecordSet.Fields("ADsPath") & "</td>")
    aDescription = oRecordSet.Fields("description")
    Response.Write("<td> ")
    If Not IsNull(aDescription) Then Response.Write aDescription(0)
    Response.Write("</td>")
    aMember = oRecordSet.Fields("member")
    Response.Write("<td><select size = '5'> ")
    If Not IsNull(aMember) Then
        For icount = 0 to UBound(aMember)
            Response.Write("<option>" & aMember(iCount))
        Next
    End If
    Response.Write("</td></tr>")
    oRecordSet.MoveNext
Wend
Response.Write("</font>")
Response.Write("</table>")

oRecordSet.Close
oCon.Close

Set oRecordSet = Nothing
Set oCon = Nothing

I'm guessing this opens some sort of connection to the AD from this server, and then anything can use it afterwards?  Does this make sense at all?  I'm just throwing an idea out.  I really have no clue what's going on.  Any thoughts?  Ideas?


As far as the Trust for Delegation check box.  I do not have permissions to change it.  I will have to ask my boss about that.   Thanks for that info.  I'll see if we can try that and see what it does.  I am not allowing anonymous access, so that's not an issue.

I'll read through that article you linked and see if I can find anything useful.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22904885
"Looks like a permissions issue."

Figured as much, how do you fix it efficiently?
0
 
LVL 6

Assisted Solution

by:mwhitworth
mwhitworth earned 400 total points
ID: 22905254
Your on the right path there - I'll dig up some code and show ye I have to find a script I have that does something simlilar.

Bottom line is that now your explictily using a username/password in the LDAP query.  Also note, your calling a recordset in the first example as well, its just being done with different context.  Lemme find my old LDAP script I used that let users edit their AD profile online and I'll post that up here.

0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22905307
mWhitworth,
My big question about this code is why, after opening a recordset and closing it, does my end code work using a ADSystemInfo object work correctly when it's not using the recordset?

That'll be great to see your code.  Maybe I Can finally make some sense of this.  
0
 
LVL 6

Expert Comment

by:mwhitworth
ID: 22905603
Once you authenticate in a session the authentication stays.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22905645
Yes, exactly.  I think the article a linked to shows how to enable Anonymous connections so this should fix it however, if there are other ways to do it without modifying the Directory then those would be the best options.

Other than that, you'll need to use credentials or use Digest Authentication alongside Anonymous to allow internal users a flow-through.

0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22905726
So is there an easier way to open a session between this server and the AD?  Rather than having 40 lines of code that I don't use?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22905771
Perhaps mwhitworth can explain Digest Authentication to you better than I can - and even if that's the way to go with this.

Hopefully, he comes back to us.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22905791
I have digest authentication on both my workstation and the server already.  So I'm guessing what needs to be done is have a session created before my code, but I'm hoping there is an easier way to do that.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22906150
Is this server a domain member?

On the Web Sites folder (if you want Global coverage) Directory security>Edit (under Anonymous access and authentication control) - is the Realm box populated?

0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22906181
Yes, it's on the correct domain.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 22906274
I'm sort of out of ideas with the exception of the ADSIEdit thing - which should be an absolute last resort anyway.

If you run part of that code as yourself from the server console does it work?
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22906524
don't know what server console is. :(  That a program to run scripts?
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 800 total points
ID: 22907036
From the server - when logged on locally as Administrator.

0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22907076
not sure how to run VBScript just from the server.  I have logged on the server and run it through the webpage, but gets the same problem.
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22907342
FYI, I'm heading out of town in a few minutes.  Won't be back until Wednesday.  So don't think I'm ignoring everyone.   I appreciate all the help so far.  
0
 
LVL 9

Author Comment

by:CCSOFlag
ID: 22940458
Alright, I'm back.  Anyone have any luck on finding a simpler way to have a session open to AD?
0
 
LVL 9

Accepted Solution

by:
CCSOFlag earned 0 total points
ID: 23006428
I guess I'll close this.  There was no real solution determined unfortunately.  I'll post if I ever figure this out.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question