473,407 Members | 2,359 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > iis 5 - getobject fails with "restrict anonymous" enabled on domain controllers

Join Bytes to post your question to a community of 473,407 software developers and data experts.

IIS 5 - GetObject fails with "Restrict Anonymous" enabled on Domain Controllers

I have a developer here with a website running with only "Windows
Integrated Authentication" set on a Windows 2000 member server that
uses GetObject to get a user's group membership in the domain. This is
the code she's using:

set adsUser = getobject("WinNT://" & strUsername)
for each group in adsUser.groups
GrpList = GrpList & lcase(trim(group.name)) & ";"
next
Apparently, our Windows 2000 DCs did NOT have the "Restrict Anonymous"
security option enabled, and this code was able to successfully get
data. We recently upgraded the domain controllers to Windows 2003
Server which by default has "Restrict Anonymous" enabled - it's called
"Network Access: Let Everyone permissions apply to anonymous users" in
the security options - it isn't defined by default which means that
"Everyone" permissions do not apply to anonymous users.

This caused the code to break - it wasn't able to get the group
membership info after we upgraded the DCs to Windows 20003 Server.
After re-enabling the option I mentioned above to not "Restrict
Anonymous" on all the DCs her code works again.

My question is: How can I keep the "Network Access: Let Everyone
permissions apply to anonymous users" feature disabled and have her
code still work. Is there some other setting I need to set in IIS?

Any advice is appreciated.

Thanks.
Jul 19 '05 #1
2 4783
You could turn on the Windows authentication on the IIS server, and assuming
the user is within the Intranet, and has permissions to instantiate the
object, the code should work.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Gerry" <sy****@yahoo.com> wrote in message
news:4d**************************@posting.google.c om...
I have a developer here with a website running with only "Windows
Integrated Authentication" set on a Windows 2000 member server that
uses GetObject to get a user's group membership in the domain. This is
the code she's using:

set adsUser = getobject("WinNT://" & strUsername)
for each group in adsUser.groups
GrpList = GrpList & lcase(trim(group.name)) & ";"
next
Apparently, our Windows 2000 DCs did NOT have the "Restrict Anonymous"
security option enabled, and this code was able to successfully get
data. We recently upgraded the domain controllers to Windows 2003
Server which by default has "Restrict Anonymous" enabled - it's called
"Network Access: Let Everyone permissions apply to anonymous users" in
the security options - it isn't defined by default which means that
"Everyone" permissions do not apply to anonymous users.

This caused the code to break - it wasn't able to get the group
membership info after we upgraded the DCs to Windows 20003 Server.
After re-enabling the option I mentioned above to not "Restrict
Anonymous" on all the DCs her code works again.

My question is: How can I keep the "Network Access: Let Everyone
permissions apply to anonymous users" feature disabled and have her
code still work. Is there some other setting I need to set in IIS?

Any advice is appreciated.

Thanks.

Jul 19 '05 #2
Thanks for your reply.

We've had Windows authentication enabled as the only authentication
mechanism (i.e. Basic and Digest are not enabled) for this virtual
server and folders.

IIS 5 (IIS Admin service and World Wide Web service) runs using
"LocalSystem" so I believe that is the user that runs ASP code. Perhaps
I could have those services run using a domain account, but then that
would probably cause other security concerns, and probably wouldn't work
anyway as IIS seems to want to use the "NULL" user to pass this query to
the Domain Controllers.


Manohar Kamath [MVP] wrote:
You could turn on the Windows authentication on the IIS server, and assuming
the user is within the Intranet, and has permissions to instantiate the
object, the code should work.


Jul 19 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
What is "anonymous web user account"?
by: CM | last post by:
Hi, There: I am working on a commercial ASP web application which use MS Access 2000 as database. When configuring the database access, I got an error saying that this database is a read-only...
ASP / Active Server Pages
0
What is the sql way to restrict "superadmin" priv to one user?
by: Perttu Pulkkinen | last post by:
Is there some way to restrict in mysql that certan field has only ONE ROW with CERTAIN VALUE X while other rows can have any values but not this one(so "unique" is not the answer..)? This can be...
MySQL Database
36
IIS6 & ASP: accessing network files with FSO fails
by: Thomas | last post by:
after spending countless hours trying, i give up and hope to get some help in here. on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm trying to read a file from an UNC...
ASP / Active Server Pages
2
Trying to understand "restrict"
by: Frederick Gotham | last post by:
I'm going to be using an acronym a lot in this post: IINM = If I'm not mistaken Let's say we've got translation units which are going to be compiled to object files, and that these object...
C / C++
0
GetObject fails with "Restrict Anonymous" enabled on Domain Controllers
by: kanu | last post by:
Hi, We have moved our domain controllers from win2K to win3K. The script below doesnt work at all now because by default Win3K disables "Network access: Let Everyone permissions apply to anonymous...
ASP / Active Server Pages
3
Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error '800a0046')
by: aydeejay | last post by:
I'm trying to troubleshoot an issue where users are not able to bind with LDAP via "GetObject" through our ASP Classic Intranet if they stay logged in overnight (beyond their allowed login hours). ...
ASP / Active Server Pages
6
Using C99 "restrict" with newly allocated and initialized arrays/structures
by: rainy6144 | last post by:
Does the following code have defined behavior? double *new_array(unsigned n) { double *p = malloc(n * sizeof(double)); unsigned i; for (i = 0; i < n; i++) p = 0.0; return p; }
C / C++
7
To restrict "pasting" data on a text-field.
by: jayakrishnanav | last post by:
Hi , Is it possible to restrict "pasting" any data in a text box,through keyboard(Ctrl-p) and through mouse??Can anybody help in dis WarmRegards jk
Javascript
4
"Anonymous methods" and "closures"
by: Peter | last post by:
Hi I've been delving into "delegates" and "anonymous methods", and now I've come across the term "closure". Some information I've found says that C# does not have closures, other information...
C# / C Sharp
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!