Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 278836 - Last Review: July 7, 2008 - Revision: 6.1
ADSI GetObject queries may fail from ASP but work from VBScript
This article was previously published under Q278836
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
For more information about IIS 7.0, visit the following Microsoft Web site:
If you attempt to use a
GetObject query from an Active Server Pages (ASP) page to list the users in a particular group, the result set may be blank, although this same query returns data if it is run from Microsoft Visual Basic Scripting Edition (VBScript) code on the IIS server. Also, queries for groups or other objects that are run from an ASP page return data.
For example, the following query returns an empty user list:
Set ADsGroup = GetObject("WinNT://DOMAIN/SomeGroup,Group")
For Each Member in ADsGroup.members
response.write Member.name
This problem occurs if all of the following conditions are met:
- The IIS server is not a domain controller.
If the IIS server is a member server of a domain and is not a domain controller, Microsoft Windows NT GetObject queries must contact a domain controller to retrieve the requested information.
- The ASP page that makes the query uses the Windows NT Challenge/Response authentication method.
If the page that makes the request is authenticated with Windows NT Challenge/Response, the query from the IIS computer to the domain controller is made with a NULL, or anonymous, user account because Windows NT Challenge/Response does not support double-hop impersonation.
- The RestrictAnonymous registry key on the domain controller to be contacted is set to 1.
If the RestrictAnonymous registry key is set to 1 on the domain controller, the query will fail because the query uses a NULL, or anonymous, account.
NOTE: Because the
RestrictAnonymous registry key only restricts the listing of user accounts and shares, other queries, such as Group, succeed. The query also succeeds if it is run with VBScript because the query is initiated on the IIS server by a logged in user, so the query can run using the user's credentials.
Use the following methods to run the query. Use
Basic or
Clear Text as your authentication method. This allows IIS to pass the user's credentials to the domain controller.
Note When you use
Clear Text as your authentication method, you should also consider using Secure Sockets Layer (SSL) to secure the page.
For more information about the
RestrictAnonymous registry key, click the article number to view the article in the Microsoft Knowledge Base:
143474Â
(http://kbalertz.com/Feedback.aspx?kbNumber=143474/
)
Restricting information available to anonymous logon users
APPLIES TO
- Microsoft Internet Information Services 6.0
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Server 3.0
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 7.0
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate