Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with GetObject in ASP

46 views
Skip to first unread message

Ralf Stolzenberg

unread,
Nov 8, 2009, 6:12:45 PM11/8/09
to
Hello!

I'd like to modify several values in the AD for specific useraccounts within
a single asp page
which works with several html post based forms.

We are running Windows Server 2003.

AD is enumerated and returning the adspath for the user object I am
searching for based on the sAMAccountname
which I query with a html form.
This works fine.
Now I want to make a bind to that specific object using the GetObject method
with the returned adspath,
which fails every time.

I've read a lot of articles about GetObject errors, but did not find a
solution which will work.

I'm running that page logged in at the domain with an domain administrator
account.
My sAMAccountname is shown correct with:
<% Response.Write (request.servervariables("LOGON_USER") ) %>
so the user_auth seems to be working well.

I am connecting active directory with a specific useraccount at the first
bind.

I've read a lot of articles about error '80072020' , each time together with
GetObject.

My environment description
******************************
I've placed the asp page in a virtual directory, where I use the NT auth (no
anonymous access allowed).
I placed severall include files outside this directory, so that the ad
connection data is hidden for normal users.
The include works fine.
I replaced some settings in the scripts (user, password, domain) with
<domain>

The content of my include file
********************************
LDAPserver = "ldap1.lan.<domain>"
strUsername = "CN=<browsing user name>\,
<firstname>,OU=<OUname>,OU=<OUname>,DC=<childdomain>,DC=<rootdomain>,DC=de"
strPassword = "<brosing user password>"
...
sql = "SELECT ADSPath FROM 'LDAP://" & LDAPserver & "/" & UserContainer & "'
WHERE objectClass='user' and sAMAccountName = '" & UserID & "'"
...
Const ADS_SCOPE_SUBTREE = 2
' LDAP-Verbindung aufbauen:
Set objConnection = Server.CreateObject("ADODB.Connection")
Set objCommand = Server.CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.open "Active Directory Provider", strUsername, strPassword
Set objCommand.ActiveConnection = objConnection
...
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = sql

Response.Write("<BR><B>objCommand.CommandText:</B> " &
objCommand.CommandText)
Set objRecordSet = objCommand.execute
...
if ( objRecordSet.RecordCount = 0 ) then
Response.Write "<BR><B>Datensatz</B> [" & UserID & "] <B>nicht im AD
auffindbar!</B>"
else
Response.Write "<BR><B>Datensatz</B> [" & UserID & "] im AD
<B>auffindbar!</B>"
end if
do until objRecordSet.EOF
...
strADSPath = objRecordSet.fields("ADSPath")
...
' I tried a lot of different combinations, none of them worked...
' Set objCon = GetObject("LDAP:").OpenDSObject(strADSPath)
Set objCon = GetObject(strADSPath)
objCon.GetInfo
...
objRecordSet.MoveNext
loop

An now the results:
**********************
' Username set in the html/asp form. Sent to the query by "post" method:
UserID: JohannesXPUser
' ' String is ok and works fine:
sql: SELECT ADSPath FROM 'LDAP://ldap1.<domain>/DC=lan,DC<domain>DC=de'
WHERE objectClass='user' and sAMAccountName = 'JohannesXPUser'
' String is ok and works fine:
objCommand.CommandText: SELECT ADSPath FROM
'LDAP://ldap1.lan.<domain>/DC=lan,DC=<domain>,DC=de' WHERE
objectClass='user' and sAMAccountName = 'JohannesXPUser'
Datensatz [JohannesXPUser] im AD auffindbar! -> which means the obbject
is fount in the ad!
strADSPath : LDAP://ldap1.lan.<domain>/CN=XPUser\,
Johannes,OU=XP-Benutzer,OU=<domain>,DC=de

Fehler "80072020'

I checked the entry for the searched user with adsi edit an it seems
correct:
CN=XPUser\, Johannes,OU=XP-Benutzer,OU=<DOMAIN>,DC=de
(except the missing LDAP server prefix returned from the strADSpath output).

How can I connect to the given adspath or sAMAccountname (which is not
identical with the name of the logged on user
which uses the asp page) and use getinfo and setinfo?
When GetObject won't work, is there another way to connect and get write
access to the user enumerated in the adspath?

I think I have to bind again after the sql select to that specific
useraccount after enumerating it,
before trying to change some values.
Or am I wrong?


Regards,

Ralf

Gerry Hickman

unread,
Nov 12, 2009, 3:07:03 PM11/12/09
to
Ralf Stolzenberg wrote:
> Hello!
>
> I'd like to modify several values in the AD for specific useraccounts within
> a single asp page
> which works with several html post based forms.
>
> We are running Windows Server 2003.

I have not looked at your code in detail, but the usual reasons for this
failure are

1. NTLM "double hop authentication" failure (google it).

2. You can often search AD with ANONYMOUS credentials, but as soon as
you try to bind, the security will block.

In the case of #1, it's usually caused by IIS, the first auth will be
the user who is using the app, but the second auth will be the IIS
process, and it won't have write access to AD. A possible (and
dangerous) work-around is to set a process identity that does have write
access. Problem is that anyone who hacks your web app can trash the
whole of AD. An other option is using kerberos constrained delegation to
allow multiple hop auth.

> Response.Write "<BR><B>Datensatz</B> ["& UserID& "]<B>nicht im AD
> auffindbar!</B>"
> else
> Response.Write "<BR><B>Datensatz</B> ["& UserID& "] im AD


--
Gerry Hickman (London UK)

0 new messages