IIS 5 - GetObject fails with "Restrict Anonymous" enabled on Domain Controllers

Discussion in 'ASP General' started by Gerry, Jul 31, 2003.

  1. Gerry

    Gerry Guest

    I have a developer here with a website running with only "Windows
    Integrated Authentication" set on a Windows 2000 member server that
    uses GetObject to get a user's group membership in the domain. This is
    the code she's using:

    set adsUser = getobject("WinNT://" & strUsername)
    for each group in adsUser.groups
    GrpList = GrpList & lcase(trim(group.name)) & ";"
    next


    Apparently, our Windows 2000 DCs did NOT have the "Restrict Anonymous"
    security option enabled, and this code was able to successfully get
    data. We recently upgraded the domain controllers to Windows 2003
    Server which by default has "Restrict Anonymous" enabled - it's called
    "Network Access: Let Everyone permissions apply to anonymous users" in
    the security options - it isn't defined by default which means that
    "Everyone" permissions do not apply to anonymous users.

    This caused the code to break - it wasn't able to get the group
    membership info after we upgraded the DCs to Windows 20003 Server.
    After re-enabling the option I mentioned above to not "Restrict
    Anonymous" on all the DCs her code works again.

    My question is: How can I keep the "Network Access: Let Everyone
    permissions apply to anonymous users" feature disabled and have her
    code still work. Is there some other setting I need to set in IIS?

    Any advice is appreciated.

    Thanks.
    Gerry, Jul 31, 2003
    #1
    1. Advertising

  2. You could turn on the Windows authentication on the IIS server, and assuming
    the user is within the Intranet, and has permissions to instantiate the
    object, the code should work.

    --
    Manohar Kamath
    Editor, .netBooks
    www.dotnetbooks.com


    "Gerry" <> wrote in message
    news:...
    > I have a developer here with a website running with only "Windows
    > Integrated Authentication" set on a Windows 2000 member server that
    > uses GetObject to get a user's group membership in the domain. This is
    > the code she's using:
    >
    > set adsUser = getobject("WinNT://" & strUsername)
    > for each group in adsUser.groups
    > GrpList = GrpList & lcase(trim(group.name)) & ";"
    > next
    >
    >
    > Apparently, our Windows 2000 DCs did NOT have the "Restrict Anonymous"
    > security option enabled, and this code was able to successfully get
    > data. We recently upgraded the domain controllers to Windows 2003
    > Server which by default has "Restrict Anonymous" enabled - it's called
    > "Network Access: Let Everyone permissions apply to anonymous users" in
    > the security options - it isn't defined by default which means that
    > "Everyone" permissions do not apply to anonymous users.
    >
    > This caused the code to break - it wasn't able to get the group
    > membership info after we upgraded the DCs to Windows 20003 Server.
    > After re-enabling the option I mentioned above to not "Restrict
    > Anonymous" on all the DCs her code works again.
    >
    > My question is: How can I keep the "Network Access: Let Everyone
    > permissions apply to anonymous users" feature disabled and have her
    > code still work. Is there some other setting I need to set in IIS?
    >
    > Any advice is appreciated.
    >
    > Thanks.
    Manohar Kamath [MVP], Jul 31, 2003
    #2
    1. Advertising

  3. Gerry

    Gerry Guest

    Re: IIS 5 - GetObject fails with "Restrict Anonymous" enabled onDomain Controllers

    Thanks for your reply.

    We've had Windows authentication enabled as the only authentication
    mechanism (i.e. Basic and Digest are not enabled) for this virtual
    server and folders.

    IIS 5 (IIS Admin service and World Wide Web service) runs using
    "LocalSystem" so I believe that is the user that runs ASP code. Perhaps
    I could have those services run using a domain account, but then that
    would probably cause other security concerns, and probably wouldn't work
    anyway as IIS seems to want to use the "NULL" user to pass this query to
    the Domain Controllers.






    Manohar Kamath [MVP] wrote:
    > You could turn on the Windows authentication on the IIS server, and assuming
    > the user is within the Intranet, and has permissions to instantiate the
    > object, the code should work.
    >
    Gerry, Jul 31, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gabor
    Replies:
    3
    Views:
    602
    Jacob Yang [MSFT]
    Aug 26, 2003
  2. Replies:
    0
    Views:
    349
  3. s o
    Replies:
    1
    Views:
    469
    goobledigook
    Aug 12, 2006
  4. Desperate
    Replies:
    0
    Views:
    807
    Desperate
    Aug 31, 2006
  5. Navdeep Bhardwaj

    Using GetObject IIS 6.0

    Navdeep Bhardwaj, Dec 22, 2003, in forum: ASP General
    Replies:
    2
    Views:
    230
    Navdeep Bhardwaj
    Dec 23, 2003
Loading...

Share This Page