« Previous Next »

• 11-12-2008, 11:53 AM

  joecorey Joined on 11-11-2008, 7:06 PM Posts 6

  Classic ASP - Bind to LDAP not working Reply Contact Hello, Hope someone can help here. So I've taken my classic ASP code that was functioning fine from IIS 6 (32-bit) and moved it over to IIS 7 (64-bit). After resolving some ODBC issues (enabling 32-bit apps, using the 32-bit ODBC exe to load my Access 2007 DSNs), I attempted to run a page that queried some basic attributes in Active Directory that always worked. Now, I'm receiving  "Table does not exist" errors. A packet capture is showing the IIS server attempted to do an un-authenticated bind which gets denied by the DCs. Kerberos is functioning for the rest of the pages so the SPNs are set right. Any idea why this isn't working? The application pool is running under the NetworkService account. Thanks! -joe c

• 11-12-2008, 1:16 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact Have you tried running the application pool as a domain account. (Either a domain admin or enough rights to query AD).  Network service when connecting across the network is really just the machine account (IISServer$). Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-12-2008, 1:27 PM

  In reply to

  joecorey Joined on 11-11-2008, 7:06 PM Posts 6

  Re: Classic ASP - Bind to LDAP not working Reply Contact I understand that it runs as the machine account, but a machine account has the ability to read the attributes I'm querying in AD (qualifies as Authenticated User). That's no different than IIS 6. To answer your question, yes I've tried running it as a domain account with the same results. I just can't see how IIS 7 would be any different when binding to AD via VBScript and ASP.

• 11-12-2008, 1:36 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact I figured you did, but understand it's kind of hard to assume anything in a post.  Hmm.  Here is a few things to verify. Assuming the Classic ASP authentication is anonymous, have you tried changing the anonymous authentication module so it's not using IUSR and inherits the application pool, which uses network service.  Do you have auditing enabling on the DC to detect failures.   You can enable auditing on the DC to detect authentication failures.  You can enable this w/o a reboot or any impact. Active Directory - Turn on AD logging to find out what machine or process is locking out users. http://support.microsoft.com/?id=109626 That is a couple things that come to mind.  Hope that helps. Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-12-2008, 2:25 PM

  In reply to

  joecorey Joined on 11-11-2008, 7:06 PM Posts 6	Re: Classic ASP - Bind to LDAP not working Reply Contact Sorry, I should have mentioned that I'm using Windows Authentication. My DCs aren't showing anything because its just attempting an LDAP simple bind. I can see the entire conversation in the packet capture. I'm just really stumped.

• 11-12-2008, 9:32 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890	Re: Classic ASP - Bind to LDAP not working Reply Contact What version of AD are you running?  W2k3 native mode or w2k8 mode? Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-12-2008, 9:48 PM

  In reply to

  joecorey Joined on 11-11-2008, 7:06 PM Posts 6	Re: Classic ASP - Bind to LDAP not working Reply Contact I'm running Win2k3 native mode.

• 11-13-2008, 11:23 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact Hmm.  Couple things for clarification. 1) Are the application pools using 32 bit mode? 2) Have you tried toggling the application pools between classic and integrated.  I don't have a w2k3 environment setup to test against.  Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-14-2008, 12:07 AM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact I was able to reproduce this kind of on a w2k8 native domain. I tried running the application pool as a domain admin with anonymous access.  I tried running the same code from a VBS file, same result.  Have you tried and successfully got a basic VBS file to run on w2k8?  I'd check the activeds.tlb (%windir%\system32) to see if there is a newer version on w2k8.  This is a real stretch.  There is a lot of info on the web, just nothing that helps overcome the error.  I kept getting NULL SID errors in security event log, so it appears the first connectoin by ASP or VBS was a NULL SID vs. passing credentials.  If it's criticial, I'd engage PSS (Microsoft support) for further assistance.  Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-14-2008, 12:21 AM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact Not sure if this helps, but I got it to work using different syntax.  It almost sounds like the LDAP provider is the issue, I would also try the ADSI provider to see if you have any better luck.  Notice in the script, the attributes are at the end.  I tested with Windows authentication and running my app pool as network service.  I couldn't get Windows Auth to work locally, so I tested with Basic.  When I tested remotely with Windows Auth (basic disabled) it worked. Hope that helps provide some workaround.  <% On Error Resume Next Set rs = CreateObject("adodb.recordset") rs.ActiveConnection = "provider=adsdsoobject" rs.Open "<;(&(objectCategory=Person)(objectClass=OrganizationalPerson)(name=userAccountName*));cn,sn">LDAP://192.168.0.1/dc=steve,dc=schofield>;(&(objectCategory=Person)(objectClass=OrganizationalPerson)(name=userAccountName*));cn,sn" response.write rs(0) & " " & rs(1) rs.close set rs = nothing %> Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-14-2008, 9:19 AM

  In reply to

  joecorey Joined on 11-11-2008, 7:06 PM Posts 6

  Re: Classic ASP - Bind to LDAP not working Reply Contact Hi Steve, Thanks for all your help through this!  I'll try and answer a few posts in one. 1) My AppPool has 32-bit applications enabled. 2) yes, I've tried toggling my pipeline mode - no effect 3) I was already using the "ADsDSOObject" provider As a mostly Active Directory guy, I can say that the forest functional level and domain controller OK shouldn't matter here. As for your example, can you clarify something? As-is, this doesn't work (you only have three quotes after rs.Open - should the whole thing be in quotes?). Am I missing something? You have the LDAP filter listed twice - I'm getting "One or more errors occurred during processing of command. " Sorry, maybe I'm just missing something. -joe c

• 11-14-2008, 9:02 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact Looks like a copy and paste error or formatting when I copied the code.  Here is the syntax. http://www.iislogs.com/adsi.asp.txt PS:I'm a "kind of sort of an AD guy along with IIS, MOSS etc." and have seen odd things with Classic ASP and w2k8, since you are running w2k3, you should be ok.   Hope the code sample helps.  It should be a workaround.  I honestly don't know why the other isn't working.  For some reason,in my tests the first authentication attempt is a NULL SID.  I'm running w2k8 native mode (domain and forest).  Do you have failure auditing for logins and seeing anything in the security event logs. Also, in your LDAP path, try hitting a specific DC, usually the PDC emulator box (my preference, but it can be any DC). :)  PS:You are doing the right things, this isn't that difficult (or shouldn't be) Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget

• 11-20-2008, 8:45 AM

  In reply to

  joecorey Joined on 11-11-2008, 7:06 PM Posts 6

  Re: Classic ASP - Bind to LDAP not working Reply Contact Hi Steve, Sorry for the delay. I was unable to get this working using your script - my code was almost identical. I do have failure auditing on both the web server and the domain controller, I don't see anything coming with my username or from the web server (however I don't have debug logging on for NetLogon because this is in production). I might have to use some Premier hours on this one :(  -joe

• 11-21-2008, 11:35 PM

  In reply to

  steve schofield Joined on 06-10-2002, 4:54 PM MI Posts 3,890

  Re: Classic ASP - Bind to LDAP not working Reply Contact There is no impact to your production DC's to enable logging.  Of course I would test in your environment before considering a change in production.  Best practice you know. :)  I'm not sure what else to suggest.  I was able to reproduce and use the code sample as a workaround. If you have premier hours, it might be a wise investment of time and resources.  btw can you reproduce this in a test environment?  When something like this happens, I always try to reproduce in a controlled (non-production preferrably).  What was the failure auditing error? Steve Schofield Windows Server MVP - IIS http://weblogs.asp.net/steveschofield http://www.IISLogs.com Log archival solution Install, Configure, Forget