none
Windows Server 2012 R2 - Active Directory with anonymous Login RRS feed

  • Question

  • Hi All,

    We have enabled anonymous login on the AD server and then gave anonymous access (Read all properties & Read all permissions) to the required OUs.

    We are able to retrieve properties like name, description, type with anonymous access etc. However, retrieval of the UUID properties like objectCategory, objectGUID is unsuccessful (throws unknown COM exception).

    Is this a known limitation ? If yes, please let us know the reason and  workaround otherwise please help us to resolve the issue.

    Note:

    1. Retrieval of all properties is successful with secure binding 

    2. Just to reduce variables, we even tried to enable anonymous access on the root and get same results.

    3. We have applied all the latest updates for 2012

    4. We are able to replicate same behavior Windows Server 2019.

    Thanks

    Padma

    Thursday, October 10, 2019 4:03 AM

All replies

  • Hi,

    Thanks for your question.

    Sorry, I don't think it is a  known limitation. Please try to check you have enable the  anonymous access to AD correctly, also you have to gave anonymous access  to the required OUs.

    Please try to check your steps by the link below:

    https://activedirectoryfaq.com/2016/09/anonymous-access/

    I have tested in my environment.

    Best regards,

    Lee


    Just do it.

    Thursday, October 10, 2019 7:28 AM
    Moderator
  • Hi Lee,

    Thank you for your help. We have correctly setup anonymous configuration and that's where able to get properties other than UUId. 

    To clarify, our application is using [System.DirectoryServices] to perform an LDAP search programmatically. We do not permit the searching of an individual person CN, we support the CN of OU or GROUP then enumerate membership by traversing the tree or RootDSE.

     

    When we bind securely we can fully sync all LDAP attributes. When we bind anonymously all system assigned attributes e.g  ObjectGUID are not returned in the search. We are of the understanding, possibly incorrectly than this is due to the difference in BaseDN v BindDN when logging on anonymously.

     

    We have replicated this behaviour outside our application using this tool  http://ldaptool.sourceforge.net/. If Anonymous Logon is enabled we get no ObjectGUID returned in the tree.   

     

    On the test domain we have set dSHeuristics outer value to 2 and adjusted the read-only properties for the account. Additionally if we make this a RDC and bind securely then all attributes are retuned.  It is only when we bind anonymously that the attributes are not returned.

     

    We have tried on a domain and forest functional level of 2012 and 2012 R2 with the same results.

    Try below sample code on any of your OU

    path : LDAP://yourserver/OU=your ou,DC=domain, dc=com

     using (DirectoryEntry entry = new DirectoryEntry(path, string.Empty, string.Empty,  AuthenticationTypes.Anonymous))
              {
                object o1 = entry.Properties["name"].Value; // successful
                object o = entry.Properties["objectGUID"].Value;   // unsuccessful         
              }

    Thanks

    Padma


    Friday, October 11, 2019 11:49 AM