Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error '800a0046')

Discussion in 'ASP General' started by aydeejay, Aug 21, 2007.

  1. aydeejay

    aydeejay Guest

    I'm trying to troubleshoot an issue where users are not able to bind
    with LDAP via "GetObject" through our ASP Classic Intranet if they
    stay logged in overnight (beyond their allowed login hours). The
    problem does not occur when performing the same bindings using a logon
    script.

    So, the user logs in, is able to perform queries all day, and then
    fails to log out at the end of the day. We'd prefer that they did log
    out nightly, but it happens...

    The following morning they unlock their machine during allowed logon
    hours and are unable to bind to Active Directory via our Intranet
    until they log out / back in or perform a RunAs using their own
    credentials.

    Any idea what could be happening? We've got "Windows Integrated
    Authentication" and "Basic Authentication" enabled, anonymous access
    is disabled.

    The Intranet has no problem authenticating them and recognizing their
    username, but any attempts to bind via GetObject generate this error:

    Microsoft VBScript runtime error '800a0046'

    Permission denied: 'GetObject'

    /auth_functions.asp, line 18

    Thanks!
     
    aydeejay, Aug 21, 2007
    #1
    1. Advertising

  2. You could run a script logging out all users each night


    "aydeejay" <> wrote in message
    news:...
    > I'm trying to troubleshoot an issue where users are not able to bind
    > with LDAP via "GetObject" through our ASP Classic Intranet if they
    > stay logged in overnight (beyond their allowed login hours). The
    > problem does not occur when performing the same bindings using a logon
    > script.
    >
    > So, the user logs in, is able to perform queries all day, and then
    > fails to log out at the end of the day. We'd prefer that they did log
    > out nightly, but it happens...
    >
    > The following morning they unlock their machine during allowed logon
    > hours and are unable to bind to Active Directory via our Intranet
    > until they log out / back in or perform a RunAs using their own
    > credentials.
    >
    > Any idea what could be happening? We've got "Windows Integrated
    > Authentication" and "Basic Authentication" enabled, anonymous access
    > is disabled.
    >
    > The Intranet has no problem authenticating them and recognizing their
    > username, but any attempts to bind via GetObject generate this error:
    >
    > Microsoft VBScript runtime error '800a0046'
    >
    > Permission denied: 'GetObject'
    >
    > /auth_functions.asp, line 18
    >
    > Thanks!
    >
     
    ThatsIT.net.au, Aug 22, 2007
    #2
    1. Advertising

  3. aydeejay

    aydeejay Guest

    What I'm really looking for is some sort of explanation of what could
    be happening -- we could certainly log everyone out as a workaround,
    but there are certain users and machines, such as my own, where this
    is undesirable.

    As it turns out the problem does not involve logon hours, but it seems
    to be contingent on how long they remain logged into the system.

    This is definitely a Kerberos-related issue...if I stay logged in
    overnight and run an ASP script that looks at authentication server
    variables to determine the method of authentication being used, NTLM
    is employed. If I log out and back into my machine, Kerberos is
    employed.

    This seems to be an issue involving Kerberos ticket renewal /
    expiration, but I haven't read any similar accounts of this problem.

    "klist tgt" generates this error under a "stale" login session (left
    overnight):

    Error calling function LsaCallAuthenticationPackage: 0
    The operation completed successfully.
    Substatus: 0x8009030e

    Under a "fresh" login it works fine:

    Cached TGT:

    ServiceName: krbtgt
    TargetName: krbtgt
    FullServiceName: ajones
    DomainName: xxx
    TargetDomainName: xxx
    AltTargetDomainName: xxx
    TicketFlags: 0x40e00000
    KeyExpirationTime: 256/0/29920 0:103:804
    StartTime: 8/23/2007 12:25:28
    EndTime: 8/23/2007 21:00:00
    RenewUntil: 8/23/2007 21:00:00
    TimeSkew: 8/23/2007 21:00:00

    On Aug 22, 9:48 am, "ThatsIT.net.au" <me@thatsit> wrote:
    > You could run a script logging out all users each night
    >
    > "aydeejay" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > I'm trying to troubleshoot an issue where users are not able to bind
    > > with LDAP via "GetObject" through our ASP Classic Intranet if they
    > > stay logged in overnight (beyond their allowed login hours). The
    > > problem does not occur when performing the same bindings using a logon
    > > script.

    >
    > > So, the user logs in, is able to perform queries all day, and then
    > > fails to log out at the end of the day. We'd prefer that they did log
    > > out nightly, but it happens...

    >
    > > The following morning they unlock their machine during allowed logon
    > > hours and are unable to bind to Active Directory via our Intranet
    > > until they log out / back in or perform a RunAs using their own
    > > credentials.

    >
    > > Any idea what could be happening? We've got "Windows Integrated
    > > Authentication" and "Basic Authentication" enabled, anonymous access
    > > is disabled.

    >
    > > The Intranet has no problem authenticating them and recognizing their
    > > username, but any attempts to bind via GetObject generate this error:

    >
    > > Microsoft VBScript runtime error '800a0046'

    >
    > > Permission denied: 'GetObject'

    >
    > > /auth_functions.asp, line 18

    >
    > > Thanks!- Hide quoted text -

    >
    > - Show quoted text -
     
    aydeejay, Aug 23, 2007
    #3
  4. "aydeejay" <> wrote in message
    news:...
    > What I'm really looking for is some sort of explanation of what could
    > be happening -- we could certainly log everyone out as a workaround,
    > but there are certain users and machines, such as my own, where this
    > is undesirable.
    >
    > As it turns out the problem does not involve logon hours, but it seems
    > to be contingent on how long they remain logged into the system.
    >
    > This is definitely a Kerberos-related issue...if I stay logged in
    > overnight and run an ASP script that looks at authentication server
    > variables to determine the method of authentication being used, NTLM
    > is employed. If I log out and back into my machine, Kerberos is
    > employed.



    It seem like some sort of expiry problem.


    >
    > This seems to be an issue involving Kerberos ticket renewal /
    > expiration, but I haven't read any similar accounts of this problem.
    >
    > "klist tgt" generates this error under a "stale" login session (left
    > overnight):


    you may be able to change the life time of the ticket somewhere


    >
    > Error calling function LsaCallAuthenticationPackage: 0
    > The operation completed successfully.
    > Substatus: 0x8009030e
    >
    > Under a "fresh" login it works fine:
    >
    > Cached TGT:
    >
    > ServiceName: krbtgt
    > TargetName: krbtgt
    > FullServiceName: ajones
    > DomainName: xxx
    > TargetDomainName: xxx
    > AltTargetDomainName: xxx
    > TicketFlags: 0x40e00000
    > KeyExpirationTime: 256/0/29920 0:103:804
    > StartTime: 8/23/2007 12:25:28
    > EndTime: 8/23/2007 21:00:00
    > RenewUntil: 8/23/2007 21:00:00
    > TimeSkew: 8/23/2007 21:00:00
    >
    > On Aug 22, 9:48 am, "ThatsIT.net.au" <me@thatsit> wrote:
    >> You could run a script logging out all users each night
    >>
    >> "aydeejay" <> wrote in message
    >>
    >> news:...
    >>
    >>
    >>
    >> > I'm trying to troubleshoot an issue where users are not able to bind
    >> > with LDAP via "GetObject" through our ASP Classic Intranet if they
    >> > stay logged in overnight (beyond their allowed login hours). The
    >> > problem does not occur when performing the same bindings using a logon
    >> > script.

    >>
    >> > So, the user logs in, is able to perform queries all day, and then
    >> > fails to log out at the end of the day. We'd prefer that they did log
    >> > out nightly, but it happens...

    >>
    >> > The following morning they unlock their machine during allowed logon
    >> > hours and are unable to bind to Active Directory via our Intranet
    >> > until they log out / back in or perform a RunAs using their own
    >> > credentials.

    >>
    >> > Any idea what could be happening? We've got "Windows Integrated
    >> > Authentication" and "Basic Authentication" enabled, anonymous access
    >> > is disabled.

    >>
    >> > The Intranet has no problem authenticating them and recognizing their
    >> > username, but any attempts to bind via GetObject generate this error:

    >>
    >> > Microsoft VBScript runtime error '800a0046'

    >>
    >> > Permission denied: 'GetObject'

    >>
    >> > /auth_functions.asp, line 18

    >>
    >> > Thanks!- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    >
     
    ThatsIT.net.au, Aug 24, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. keithb
    Replies:
    0
    Views:
    645
    keithb
    Feb 16, 2006
  2. Replies:
    1
    Views:
    964
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Apr 12, 2007
  3. mirin
    Replies:
    2
    Views:
    4,246
    mirin
    Jul 24, 2007
  4. nicholas.gadacz

    Microsoft VBScript runtime error '800a0046'

    nicholas.gadacz, Oct 21, 2003, in forum: ASP General
    Replies:
    3
    Views:
    458
    Bob Barrows
    Oct 22, 2003
  5. douglas sur
    Replies:
    1
    Views:
    393
    Valery Pryamikov
    May 1, 2004
Loading...

Share This Page