none
LDAP query works on test laptop but not on server (error 80040e37)

    Question

  • I'm developing an ASP web page that need to get some information from Active Directory. The test code below works on my development laptop (running Windows 7) but when I move it to the production server (running Windows Server 2008 R2) the code fails at the 'cmd.execute' line with 'Active Directory error 80040e37'. Web search results for this error indicated a syntax error was the usual cause, but since it works on the laptop, the syntax appears to be OK and I suspect there's something missing or not configured on the server. Can someone point me to what this is likely to be?

    Thanks

    <%@LANGUAGE="VBSCRIPT"%>
    <html>
    <head>
    </head>
    <body>
    <%
    domuser = request.querystring("U")
    Dim oRootDSE
    Set oRootDSE = GetObject("LDAP://RootDSE")
    dim namectx
    namectx = oRootDSE.Get("defaultNamingContext")
    ldapfilter = "select GivenName,sn,telephoneNumber,mail from 'LDAP://" & _
      namectx & "' where objectCategory='User' and name='" & domuser & "'"
    dim cn
    set cn = CreateObject("ADODB.Connection")
    cn.Provider = "ADsDSOObject"
    cn.Open "Active Directory Provider"
    dim cmd
    set cmd = CreateObject("ADODB.Command")
    cmd.ActiveConnection = cn
    cmd.Properties("Timeout") = 30
    cmd.Properties("SearchScope") = 2 ' ADS_SCOPE_SUBTREE
    cmd.Properties("Cache Results") = False
    cmd.CommandText = ldapfilter
    dim rs
    set rs = cmd.Execute
    %>
    <table border=1>
    <tr><td>User:</td><td><%=domuser %></td></tr>
    <tr><td>GivenName:</td><td><%=rs("GivenName") %></td></tr>
    <tr><td>sn:</td><td><%=rs("sn") %></td></tr>
    <tr><td>telephoneNumber:</td><td><%=rs("telephoneNumber") %></td></tr>
    <tr><td>mail:</td><td><%=rs("mail") %></td></tr>
    </table>
    </body>
    </html>
    
    
    Wednesday, November 10, 2010 11:07 AM

Answers

  • After much searching I eventually determined from reading http://msdn.microsoft.com/en-us/library/ms180891.aspx that this is a "Double Hop Issue". If I temporarily change the site from Windows Authentication to Basic Authentication (so it prompts for username and password) the code works as designed.

    It seems that when developing with the web client and server on the same machine the 'hop' from client to server doesn't count so the authentication token held by the IIS server is a primary tokebn and is valid for interrogating Active Directory. When the IIS server is located on another machine and Windows Authentication is used, the server has a secondary token which is not valid for ongoing queries to other servers so it uses NTAUTHORITY\ANONYMOUS LOGON and fails. When Basic Authentication is used, the server prompts for a username and password and hence has a valid primary token to query Active Directory.

    Short of hard-coding a domain username and password into the web page to use for the query, I can't see a simply way round this. If anyone can suggest something, I'd be grateful as I'm sure many people have coded web pages to query AD information in this way.

    Regards

    Tuesday, November 16, 2010 2:54 PM

All replies

  • Hello,

    i am not a programmer but anonymous LDAP queries are not permitted by default, so is your query anonymous?

    http://technet.microsoft.com/en-us/library/cc755809%28WS.10%29.aspx

    http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, November 10, 2010 11:40 AM
  • The web application is configured to run using Windows Authentication and the LOGON_USER Server Variable is correctly set (it's actually where the full web page gets the value of the variable domuser used in the code extract I gave) so I would assume that the requests are not anonymous. This is possibly an area I need to check, however. How would I confirm that the context was correctly impersonating the requesting user?

    Derek.

    Wednesday, November 10, 2010 3:19 PM
  • I see nothing wrong with the query, as long as the variable domuser has a valid value (the Common Name of a user or contact).

    Richard Mueller


    MVP ADSI
    Wednesday, November 10, 2010 10:51 PM

  • Hi,

    The error 80040e37 means DB_E_NOTABLE. I suggest you try to change the "ldapfilter=…" to test.

    ldapFilter = "<LDAP://" & namectx & _
      ">;(&(objectCategory=User)(name=" & domuser & "))" & _
    "; GivenName,sn,telephoneNumber,mail;subtree"


    How To Use ADO to Access Objects Through an ADSI LDAP Provider
    http://support.microsoft.com/kb/187529

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 15, 2010 12:03 PM
  • I see nothing wrong with the query, as long as the variable domuser has a valid value (the Common Name of a user or contact).

    Richard Mueller


    MVP ADSI


    That's the problem. The query works if I run it from my development laptop but fails if I move it to the server. Hence the query is almost certainly OK and it must be some configuration setting on the server. Any clue as to what would be helpful.

    Thanks

    Tuesday, November 16, 2010 9:54 AM

  • Hi,

    The error 80040e37 means DB_E_NOTABLE. I suggest you try to change the "ldapfilter=…" to test.

    ldapFilter = "<LDAP://" & namectx & _
      ">;(&(objectCategory=User)(name=" & domuser & "))" & _
    "; GivenName,sn,telephoneNumber,mail;subtree"


    How To Use ADO to Access Objects Through an ADSI LDAP Provider
    http://support.microsoft.com/kb/187529

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    That was actually the syntax I originally tried, which also fails.  Unfortunately, all I'm getting from that on the server is a "500 Internal Server Error" page (it works fine on the laptop). I'm looking through the event logs, but so far have only found the logon/logoff audit for the access. Where would more details of the actuall problem be located?

    Thanks

    Tuesday, November 16, 2010 10:20 AM
  • Changing the code to:

    <%@LANGUAGE="VBSCRIPT"%>
    <html>
    <head>
    </head>
    <body>
    <%
    domuser = request.querystring("U")
    response.Write("<h1>DomUser is:"+domuser+"<br/></h1>"+vbcrlf)
    response.Flush()
    Dim oRootDSE
    Set oRootDSE = GetObject("LDAP://RootDSE")
    dim namectx
    namectx = oRootDSE.Get("defaultNamingContext")
    'ldapfilter = "select GivenName,sn,telephoneNumber,mail from 'LDAP://" & _
    '  namectx & "' where objectCategory='User' and name='" & domuser & "'"
    ldapFilter = "<LDAP://" & namectx & _
     ">;(&(objectCategory=User)(name=" & domuser & "))" & _
    "; GivenName,sn,telephoneNumber,mail;subtree"
    dim cn
    set cn = CreateObject("ADODB.Connection")
    cn.Provider = "ADsDSOObject"
    cn.Open "Active Directory Provider"
    dim cmd
    set cmd = CreateObject("ADODB.Command")
    cmd.ActiveConnection = cn
    cmd.Properties("Timeout") = 30
    cmd.Properties("SearchScope") = 2 ' ADS_SCOPE_SUBTREE
    cmd.Properties("Cache Results") = False
    cmd.CommandText = ldapfilter
    dim rs
    set rs = cmd.Execute
    %>
    <table border=1>
    <tr><td>User:</td><td><%=domuser %></td></tr>
    <tr><td>GivenName:</td><td><%=rs("GivenName") %></td></tr>
    <tr><td>sn:</td><td><%=rs("sn") %></td></tr>
    <tr><td>telephoneNumber:</td><td><%=rs("telephoneNumber") %></td></tr>
    <tr><td>mail:</td><td><%=rs("mail") %></td></tr>
    </table>
    </body>
    </html>
    
    

    I get:

    DomUser is:ddongray
    
    Active Directory error '80040e37' 
    
    An operations error occurred. 
    
    /perform/Test/ldap.asp, line 31 
    

    On the laptop the correct result is returned, i.e. first name, last name, telphone...

    Hence, as far as I can see, it must be a config setting on the server, but I haven't found any indication as to what it is.

    Tuesday, November 16, 2010 10:34 AM
  • After much searching I eventually determined from reading http://msdn.microsoft.com/en-us/library/ms180891.aspx that this is a "Double Hop Issue". If I temporarily change the site from Windows Authentication to Basic Authentication (so it prompts for username and password) the code works as designed.

    It seems that when developing with the web client and server on the same machine the 'hop' from client to server doesn't count so the authentication token held by the IIS server is a primary tokebn and is valid for interrogating Active Directory. When the IIS server is located on another machine and Windows Authentication is used, the server has a secondary token which is not valid for ongoing queries to other servers so it uses NTAUTHORITY\ANONYMOUS LOGON and fails. When Basic Authentication is used, the server prompts for a username and password and hence has a valid primary token to query Active Directory.

    Short of hard-coding a domain username and password into the web page to use for the query, I can't see a simply way round this. If anyone can suggest something, I'd be grateful as I'm sure many people have coded web pages to query AD information in this way.

    Regards

    Tuesday, November 16, 2010 2:54 PM
  • I lack experience with IIS, but I think you have identified the problem. I recall related discussions in the old ADSI newsgroup. You can find these threads if you search on "double hop" and author "Joe Kaplan", as he seems to have had the most knowledge on the authentication and delegation issues. I will say there are no AD or ADO settings that will help (other than to use alternate credentials). Any fix probably would involve IIS configuration settings.

    Richard Mueller


    MVP ADSI
    Tuesday, November 16, 2010 6:02 PM
  • While testing this out I found that it did not work until I changed "Anonymous Authentication" from "Specific User" to "Application Pool Identity" in IIS 7.0. With this setting changed I was able to enable "Windows Authentication" with no apparent issues.
    • Proposed as answer by kamran usmani Tuesday, May 14, 2013 12:26 PM
    Thursday, May 19, 2011 1:03 PM