IIS 5 - GetObject fails with "Restrict Anonymous" enabled on Domain Controllers

G

Gerry

I have a developer here with a website running with only "Windows
Integrated Authentication" set on a Windows 2000 member server that
uses GetObject to get a user's group membership in the domain. This is
the code she's using:

set adsUser = getobject("WinNT://" & strUsername)
for each group in adsUser.groups
GrpList = GrpList & lcase(trim(group.name)) & ";"
next


Apparently, our Windows 2000 DCs did NOT have the "Restrict Anonymous"
security option enabled, and this code was able to successfully get
data. We recently upgraded the domain controllers to Windows 2003
Server which by default has "Restrict Anonymous" enabled - it's called
"Network Access: Let Everyone permissions apply to anonymous users" in
the security options - it isn't defined by default which means that
"Everyone" permissions do not apply to anonymous users.

This caused the code to break - it wasn't able to get the group
membership info after we upgraded the DCs to Windows 20003 Server.
After re-enabling the option I mentioned above to not "Restrict
Anonymous" on all the DCs her code works again.

My question is: How can I keep the "Network Access: Let Everyone
permissions apply to anonymous users" feature disabled and have her
code still work. Is there some other setting I need to set in IIS?

Any advice is appreciated.

Thanks.
 
M

Manohar Kamath [MVP]

You could turn on the Windows authentication on the IIS server, and assuming
the user is within the Intranet, and has permissions to instantiate the
object, the code should work.
 
G

Gerry

Thanks for your reply.

We've had Windows authentication enabled as the only authentication
mechanism (i.e. Basic and Digest are not enabled) for this virtual
server and folders.

IIS 5 (IIS Admin service and World Wide Web service) runs using
"LocalSystem" so I believe that is the user that runs ASP code. Perhaps
I could have those services run using a domain account, but then that
would probably cause other security concerns, and probably wouldn't work
anyway as IIS seems to want to use the "NULL" user to pass this query to
the Domain Controllers.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory and getobject("WinNT://" 1
Permission denied: 'GetObject' 2
Access denied error using GetObject("WinNT://" 6
need OS user login name (but require anonymous IIS) settings 0
How to customize Windows login prompt from web browser for non-anonymous connect? 1
restrict asp access to resources 0
WScript.Shell and ASP, Permission Problem on IIS 5 2
Log on Locally user right for IIS Lockdown servers 1

Members online

No members online now.
Total: 25 (members: 0, guests: 25)
Robots: 234

Forum statistics

Threads
473,756
Messages
2,569,535
Members
45,008
Latest member
obedient dusk

Latest Threads

Top