Welcome to HostingForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Permission denied: 'GetObject'

  
   Web Hosting Problem Solving Community! (Home) -> IIS RSS
Next:  Protecting asp include files  
Author Message
cjmnews04

External


Since: Jun 23, 2004
Posts: 12



(Msg. 1) Posted: Thu Sep 30, 2004 8:41 pm
Post subject: Permission denied: 'GetObject'
Archived from groups: microsoft>public>inetserver>asp>general, others (more info?)
I'm building an ASP app that uses Windows Authentication (IWA).

I have an authentication routine that assesses if & how the user can use the
application (see code snippet below). Users of a particular group have full
permissions (configured via IIS) and all other users have read/execute
permissions.

When I call the authentication page from the server on my own PC, everything
seems to work, but I guess this is not a respresentative test. So I
installed the page on my development server and called it again from my own
PC. This time a got an error: Permission denied: 'GetObject' .

The error occurs on the second GetObject call. It seems to point to a
permissions issue, but I'm not sure where to look.

Any ideas?

Cheers

Chris

Code Snippet:

Sub AuthUser()
Dim oGroup, oUser, aUID

If Session("UID") = "" or 1 Then 'remove "or 1" from live system
aUID = Split(Request("LOGON_USER"), "\")
Response.Write aUID(0) & " " & aUID(1)

'Check if aUID(1) holds a value
If UBound(aUID) > 0 Then
Set oGroup = GetObject("WinNT://" & "HEXADEX" & "/" &
"Teconnex_Scope_Users" & ",group")
Set oUser = GetObject("WinNT://" & "HEXADEX" & "/" & aUID(1) & ",user")
<======== Error line.

If oGroup.IsMember(oUser.ADsPath) Then
'User authenticated
Session("UID") = aUID(1)
Session("Name") = oUser.Fullname
Session("Auth") = 1
Else
'Signed in as Guest
Session("UID") = "Guest"
Session("Name") = oUser.Fullname
Session("Auth") = 0
End If
Else
'Other problen so sign in as Guest
Session("UID") = "Guest"
Session("Auth") = 0
End If
End If
End Sub

 >> Stay informed about: Permission denied: 'GetObject' 
Back to top
Login to vote
nospam167

External


Since: Sep 30, 2004
Posts: 1



(Msg. 2) Posted: Thu Sep 30, 2004 10:20 pm
Post subject: Re: Permission denied: 'GetObject' [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Sounds similar to a problem I had with this. If i remember correctly it was
down to user permissions on the active directory container, we had read
only access to everyone and that worked but it was taken off and we just got
the same error as you.
What we did was to change the user in IIS with a user which had domain admin
rights (or atleast read rights to the active directory).
Might not be the best way round it but it was an internal project and
security of this didnt cause us a problem.
Hope this helps.

Cheers,
Rob

"CJM" <cjmnews04.RemoveThis@newsgroups.nospam> wrote in message
news:uI0rlxwpEHA.3244@tk2msftngp13.phx.gbl...
 > I'm building an ASP app that uses Windows Authentication (IWA).
 >
 > I have an authentication routine that assesses if & how the user can use
 > the
 > application (see code snippet below). Users of a particular group have
 > full
 > permissions (configured via IIS) and all other users have read/execute
 > permissions.
 >
 > When I call the authentication page from the server on my own PC,
 > everything
 > seems to work, but I guess this is not a respresentative test. So I
 > installed the page on my development server and called it again from my
 > own
 > PC. This time a got an error: Permission denied: 'GetObject' .
 >
 > The error occurs on the second GetObject call. It seems to point to a
 > permissions issue, but I'm not sure where to look.
 >
 > Any ideas?
 >
 > Cheers
 >
 > Chris
 >
 > Code Snippet:
 >
 > Sub AuthUser()
 > Dim oGroup, oUser, aUID
 >
 > If Session("UID") = "" or 1 Then 'remove "or 1" from live system
 > aUID = Split(Request("LOGON_USER"), "\")
 > Response.Write aUID(0) & " " & aUID(1)
 >
 > 'Check if aUID(1) holds a value
 > If UBound(aUID) > 0 Then
 > Set oGroup = GetObject("WinNT://" & "HEXADEX" & "/" &
 > "Teconnex_Scope_Users" & ",group")
 > Set oUser = GetObject("WinNT://" & "HEXADEX" & "/" & aUID(1) & ",user")
 > <======== Error line.
 >
 > If oGroup.IsMember(oUser.ADsPath) Then
 > 'User authenticated
 > Session("UID") = aUID(1)
 > Session("Name") = oUser.Fullname
 > Session("Auth") = 1
 > Else
 > 'Signed in as Guest
 > Session("UID") = "Guest"
 > Session("Name") = oUser.Fullname
 > Session("Auth") = 0
 > End If
 > Else
 > 'Other problen so sign in as Guest
 > Session("UID") = "Guest"
 > Session("Auth") = 0
 > End If
 > End If
 > End Sub
 >
 ><!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: Permission denied: 'GetObject' 
Back to top
Login to vote
user1375

External


Since: Feb 03, 2004
Posts: 423



(Msg. 3) Posted: Fri Oct 01, 2004 10:09 am
Post subject: Re: Permission denied: 'GetObject' [Login to view extended thread Info.]
Archived from groups: microsoft>public>inetserver>iis (more info?)
Hi Chris,

If the account being queried by the GetObject call is a domain
account, it's expected that the code could not work with integrated
windows authentication.

When we are using integrated auth, the authenticated user account's
logon type is NETWORK logon. This NETWORK logon session is used by
IIS to ship the ASP thread. It can access the resource on the IIS
machine without problem. However a NETWORK logon session cannot be
used to access resource on a 'third' machine(a 2-hop scenario). In
your case, it cannot access to your domain controller to query the
account info from AD.

To verify this point you can enable security auditting on your IIS
machine(in case it's a local account) or DC to track down it.

1) Go to administrative tools->Local Security Settings(Domain
Controller Security Settings)->Local Policies(Domain Plicies)->Audit
Policy, enable all kinds of failure audits.

2) Then open event viewer, clear and save as current Security log.
Browse to the problem virtual directory to reproduce the permission
denied error and then refresh security log to check if there is any
failure event appears.

If it is just a 2-hop scenario, a solution is to enable Kerberos
delegation but this isn't convenient enough due to every IE client
must enfore their integrated auth to Kerberos other than
NTLM(default). A more workable work around I think is wrapping the
code into a COM+ application and specify a domain account as its
running identity. Then you just call the COM+ component in your ASP
code. Or create a component to implment impersonation in ASP. Both
methods are explained in the following article:

How to impersonate a user from Active Server Pages
http://support.microsoft.com/?id=248187

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security
 >> Stay informed about: Permission denied: 'GetObject' 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]