Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error '800a0046')

Reply
Thread Tools

Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error '800a0046')

 
 
aydeejay
Guest
Posts: n/a
 
      08-21-2007
I'm trying to troubleshoot an issue where users are not able to bind
with LDAP via "GetObject" through our ASP Classic Intranet if they
stay logged in overnight (beyond their allowed login hours). The
problem does not occur when performing the same bindings using a logon
script.

So, the user logs in, is able to perform queries all day, and then
fails to log out at the end of the day. We'd prefer that they did log
out nightly, but it happens...

The following morning they unlock their machine during allowed logon
hours and are unable to bind to Active Directory via our Intranet
until they log out / back in or perform a RunAs using their own
credentials.

Any idea what could be happening? We've got "Windows Integrated
Authentication" and "Basic Authentication" enabled, anonymous access
is disabled.

The Intranet has no problem authenticating them and recognizing their
username, but any attempts to bind via GetObject generate this error:

Microsoft VBScript runtime error '800a0046'

Permission denied: 'GetObject'

/auth_functions.asp, line 18

Thanks!

 
Reply With Quote
 
 
 
 
ThatsIT.net.au
Guest
Posts: n/a
 
      08-22-2007
You could run a script logging out all users each night


"aydeejay" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I'm trying to troubleshoot an issue where users are not able to bind
> with LDAP via "GetObject" through our ASP Classic Intranet if they
> stay logged in overnight (beyond their allowed login hours). The
> problem does not occur when performing the same bindings using a logon
> script.
>
> So, the user logs in, is able to perform queries all day, and then
> fails to log out at the end of the day. We'd prefer that they did log
> out nightly, but it happens...
>
> The following morning they unlock their machine during allowed logon
> hours and are unable to bind to Active Directory via our Intranet
> until they log out / back in or perform a RunAs using their own
> credentials.
>
> Any idea what could be happening? We've got "Windows Integrated
> Authentication" and "Basic Authentication" enabled, anonymous access
> is disabled.
>
> The Intranet has no problem authenticating them and recognizing their
> username, but any attempts to bind via GetObject generate this error:
>
> Microsoft VBScript runtime error '800a0046'
>
> Permission denied: 'GetObject'
>
> /auth_functions.asp, line 18
>
> Thanks!
>


 
Reply With Quote
 
 
 
 
aydeejay
Guest
Posts: n/a
 
      08-23-2007
What I'm really looking for is some sort of explanation of what could
be happening -- we could certainly log everyone out as a workaround,
but there are certain users and machines, such as my own, where this
is undesirable.

As it turns out the problem does not involve logon hours, but it seems
to be contingent on how long they remain logged into the system.

This is definitely a Kerberos-related issue...if I stay logged in
overnight and run an ASP script that looks at authentication server
variables to determine the method of authentication being used, NTLM
is employed. If I log out and back into my machine, Kerberos is
employed.

This seems to be an issue involving Kerberos ticket renewal /
expiration, but I haven't read any similar accounts of this problem.

"klist tgt" generates this error under a "stale" login session (left
overnight):

Error calling function LsaCallAuthenticationPackage: 0
The operation completed successfully.
Substatus: 0x8009030e

Under a "fresh" login it works fine:

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: ajones
DomainName: xxx
TargetDomainName: xxx
AltTargetDomainName: xxx
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:804
StartTime: 8/23/2007 12:25:28
EndTime: 8/23/2007 21:00:00
RenewUntil: 8/23/2007 21:00:00
TimeSkew: 8/23/2007 21:00:00

On Aug 22, 9:48 am, "ThatsIT.net.au" <me@thatsit> wrote:
> You could run a script logging out all users each night
>
> "aydeejay" <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
>
>
> > I'm trying to troubleshoot an issue where users are not able to bind
> > with LDAP via "GetObject" through our ASP Classic Intranet if they
> > stay logged in overnight (beyond their allowed login hours). The
> > problem does not occur when performing the same bindings using a logon
> > script.

>
> > So, the user logs in, is able to perform queries all day, and then
> > fails to log out at the end of the day. We'd prefer that they did log
> > out nightly, but it happens...

>
> > The following morning they unlock their machine during allowed logon
> > hours and are unable to bind to Active Directory via our Intranet
> > until they log out / back in or perform a RunAs using their own
> > credentials.

>
> > Any idea what could be happening? We've got "Windows Integrated
> > Authentication" and "Basic Authentication" enabled, anonymous access
> > is disabled.

>
> > The Intranet has no problem authenticating them and recognizing their
> > username, but any attempts to bind via GetObject generate this error:

>
> > Microsoft VBScript runtime error '800a0046'

>
> > Permission denied: 'GetObject'

>
> > /auth_functions.asp, line 18

>
> > Thanks!- Hide quoted text -

>
> - Show quoted text -



 
Reply With Quote
 
ThatsIT.net.au
Guest
Posts: n/a
 
      08-24-2007

"aydeejay" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> What I'm really looking for is some sort of explanation of what could
> be happening -- we could certainly log everyone out as a workaround,
> but there are certain users and machines, such as my own, where this
> is undesirable.
>
> As it turns out the problem does not involve logon hours, but it seems
> to be contingent on how long they remain logged into the system.
>
> This is definitely a Kerberos-related issue...if I stay logged in
> overnight and run an ASP script that looks at authentication server
> variables to determine the method of authentication being used, NTLM
> is employed. If I log out and back into my machine, Kerberos is
> employed.



It seem like some sort of expiry problem.


>
> This seems to be an issue involving Kerberos ticket renewal /
> expiration, but I haven't read any similar accounts of this problem.
>
> "klist tgt" generates this error under a "stale" login session (left
> overnight):


you may be able to change the life time of the ticket somewhere


>
> Error calling function LsaCallAuthenticationPackage: 0
> The operation completed successfully.
> Substatus: 0x8009030e
>
> Under a "fresh" login it works fine:
>
> Cached TGT:
>
> ServiceName: krbtgt
> TargetName: krbtgt
> FullServiceName: ajones
> DomainName: xxx
> TargetDomainName: xxx
> AltTargetDomainName: xxx
> TicketFlags: 0x40e00000
> KeyExpirationTime: 256/0/29920 0:103:804
> StartTime: 8/23/2007 12:25:28
> EndTime: 8/23/2007 21:00:00
> RenewUntil: 8/23/2007 21:00:00
> TimeSkew: 8/23/2007 21:00:00
>
> On Aug 22, 9:48 am, "ThatsIT.net.au" <me@thatsit> wrote:
>> You could run a script logging out all users each night
>>
>> "aydeejay" <(E-Mail Removed)> wrote in message
>>
>> news:(E-Mail Removed) oups.com...
>>
>>
>>
>> > I'm trying to troubleshoot an issue where users are not able to bind
>> > with LDAP via "GetObject" through our ASP Classic Intranet if they
>> > stay logged in overnight (beyond their allowed login hours). The
>> > problem does not occur when performing the same bindings using a logon
>> > script.

>>
>> > So, the user logs in, is able to perform queries all day, and then
>> > fails to log out at the end of the day. We'd prefer that they did log
>> > out nightly, but it happens...

>>
>> > The following morning they unlock their machine during allowed logon
>> > hours and are unable to bind to Active Directory via our Intranet
>> > until they log out / back in or perform a RunAs using their own
>> > credentials.

>>
>> > Any idea what could be happening? We've got "Windows Integrated
>> > Authentication" and "Basic Authentication" enabled, anonymous access
>> > is disabled.

>>
>> > The Intranet has no problem authenticating them and recognizing their
>> > username, but any attempts to bind via GetObject generate this error:

>>
>> > Microsoft VBScript runtime error '800a0046'

>>
>> > Permission denied: 'GetObject'

>>
>> > /auth_functions.asp, line 18

>>
>> > Thanks!- Hide quoted text -

>>
>> - Show quoted text -

>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to open the Web...You are not authorized to perform the current operation ssg31415926 ASP .Net 3 08-03-2007 02:10 PM
Serious issue: parts of my page render as not logged in, parts as logged in. Help! pcloches@gmail.com ASP .Net 1 04-12-2007 12:50 AM
LoginView does not show a logged in user as being logged in keithb ASP .Net 0 02-16-2006 05:20 PM
performance problem when running java applications overnight york Java 10 10-23-2004 10:27 PM
IP Adress not renewing overnight David Wireless Networking 0 07-13-2004 03:18 PM



Advertisments