locked
GETLDAP object request fails in windows 10 works in windows 7 RRS feed

  • General discussion

  • Run in Window7 the GetObject request below works but in Window10 the code fails. The  folder where the script lives has Anonymous Authentication Disabled and Windows Authentication is Enabled.

    GetObject(CN=John Doe,OU=Users,OU=Production,DC=CN,DC=CA")

    In the code above I had to remove the "LDAP+colon+// between the ( and the CN to get this question past the automated censures that were treating it like a link.

    returns error number -2147016672

    • Changed type Bill_Stewart Monday, September 11, 2017 3:40 PM
    • Moved by Bill_Stewart Monday, September 11, 2017 3:40 PM This is not ASP development forum
    Monday, July 10, 2017 2:52 PM

All replies

  • It doesn't matter where the script file sits, as long as the account that should run the script can read it. It matters which account executes the script. Presuming you are talking about VBScript, the correct syntax would be:


    Dim User
    Set User = GetObject("LDAP://CN=John Doe,OU=Users,OU=Production,DC=CN,DC=CA")
    

    Error -2147016672 resolves to (hex, unsigned 32-bit value) 0x80072020. Ignoring the high word (0x8007), the low word is 0x2020 = 8224 decimal = (English) "An operations error occurred."

    It's not really possible to say much else about your question since you have provided very little context.

    (As an aside, we would recommend PowerShell rather than VBScript anyway.)


    -- Bill Stewart [Bill_Stewart]



    Monday, July 10, 2017 3:01 PM
  • Bill, thanks for the reply. I am new and not certain which info is relevant.
    There are severl hundred lines of code and I did not want to dump that on the readers.

    To provide more context...

    This web application displays the users logon id, name, and email address then will check that the user is a member of an AD group prior to allowing them to submit requests to restricted services.

    Users of this web application are being upgraded from Window 7 to Window 10. The application contains as one might expect, HTML, CSS, javascript, jquery with ajax and json. And VBscript. The ajax code is calling the VBscript. The VBscript if I understand correctly runs on the server.
    The server is Windows 2012 x64 R2.
    The code running on this server fails only when the client is on a Windows 10 OS.

    The javascript code snipit  is below, followed by the complete VBScript code PromoADuser.asp. The Private Function OpenObjUserLDAP returns with an error at this statement
     Set ObjUserLDAP = GetObject( "LDAP://" & ADuserDN & "" )
    The value of ADuserDN is CN=John Doe,OU=Users,OU=Production,DC=CN,DC=CA

    function get_user_info() { 
      $.ajax( {
        url: '/PromotionForm/scripts/PromoADuser.asp?req=pin&rnd=' + (new Date).getTime(), // rnd : refresh each call to get uptodate info !!!,
        type: 'POST',
        contentType: 'application/x-www-form-urlencoded; charset=utf-8', // default
        async: false,
        dataType: "json",
        success: function( json ) { proc_user_info( json ); }, // function( json, status ) { alert( json ); }
        error: function( jqXHRobj, status, error ) { // Note : error: function() not called for cross-domain script and cross-domain JSONP requests
         alert( status + ' / ' + error ); // eg.: "error / Not Found" if the url given does not exisit / eg.: "parseerror / SyntaxError: Syntax error"
        }
       } );
      }

    <%@ LANGUAGE="VBScript" CODEPAGE="65001" %>
    <% Option Explicit %>
    <% Response.CodePage = 65001 %>
    <% Response.CharSet = "UTF-8" %>
    <% Response.ContentType = "text/html" %>
    <% Response.CacheControl = "no-store" ' File not stored in the local cache %>
    <% Response.CacheControl = "private" %>
    <% Response.Expires = -1 %>
    <% Response.ExpiresAbsolute = Now() - 2 %>
    <% Response.AddHeader "pragma","no-cache" %>
    <% Response.AddHeader "cache-control","private" %>
    <% 'Response.ContentType = "application/x-www-form-urlencoded" %>
    <% 'Server.ScriptTimeout = 600 %>

    <% 'øøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøø %>
    <% 'øøø  Written by                    øøø %>
    <% 'øøø  Updated Aug. 10, 2015                  øøø %>
    <% 'øøø  The Promotion Form home page calls here using url query string data.          øøø %>
    <% 'øøø     øøø %>
    <% 'øøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøøø %>

    <%
    '~~~  Private Functions to this script only  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Private Function GetADval( ByRef ADval, ByVal ObjUserLDAP )
     On Error Resume Next

     Select Case ADval
      Case "PIN"
          ADval = Request.ServerVariables( "AUTH_USER" )
       Response.Write("")
       ADval = Right( ADval, Len( ADval ) - InStrRev( ADval, "\") )
       ADval = LCase( ADval )
    '  ADval = ObjUserLDAP.SAMAccountname
      Case "Common Name"
       ADval = ObjUserLDAP.cn
      Case "Email Address"
       ADval = ObjUserLDAP.emailAddress
      Case else
       ADval = "Property not available"
      End Select

     'If ( ADval = "" ) Then ADval = "(empty)"
     
     If ( Err.Number <> 0 ) Then
      GetADval = Err.Description
      GetADval = Replace( GetADval, VbCrLf, " " )
      GetADval = Replace( GetADval, "'", " " )
      Err.Clear()
      Exit Function
     End If

     GetADval = "OK"
    End Function

    Private Function GetADuserDN( ByRef ADuserDN )
     On Error Resume Next
     Dim ObjSysInfo

     GetADuserDN =  "ObjSysInfo Is Nothing"
     Set ObjSysInfo = Server.CreateObject( "ADSystemInfo" )

     If ( Err.Number <> 0 ) Then
     
      Set ObjSysInfo = Nothing
      ADuserDN = ""
      GetADuserDN = "ObjSysInfo : " & Err.Description
      GetADuserDN = Replace( GetADuserDN, VbCrLf, " " )
      GetADuserDN = Replace( GetADuserDN, "'", " " )
      Err.Clear()
      Exit Function
     End If

     If ( ObjSysInfo Is Nothing ) Then Exit Function

     ADuserDN = ObjSysInfo.UserName ' Returns user's Distinguished Name eg.: "CN=Firstnane Lastname,OU=Users,OU=Production,DC=CN,DC=CA"
     Set ObjSysInfo = Nothing

     If ( Err.Number <> 0 ) Then
      GetADuserDN = "ObjSysInfo.UserName : " & Err.Description
      GetADuserDN = Replace( GetADuserDN, VbCrLf, " " )
      GetADuserDN = Replace( GetADuserDN, "'", " " )
      Err.Clear()
      Exit Function
     End If 

     GetADuserDN = "OK"
    End Function

    Private Function OpenObjUserLDAP( ByRef ObjUserLDAP, ByVal ADuserDN )
     On Error Resume Next

     OpenObjUserLDAP = "ObjUserLDAP Is Nothing"
     Set ObjUserLDAP = GetObject( "LDAP://" & ADuserDN & "" ) ' or "LDAP://CN.CA/" ...

     If ( Err.Number <> 0 ) Then
      Set ObjUserLDAP = Nothing
      OpenObjUserLDAP = "ObjUserLDAP Error " & Err.Description
      OpenObjUserLDAP = Replace( OpenObjUserLDAP, VbCrLf, " " )
      OpenObjUserLDAP = Replace( OpenObjUserLDAP, "'", " " )
      Err.Clear()
      Exit Function
     End If

     If ( ObjUserLDAP Is Nothing ) Then Exit Function
     OpenObjUserLDAP = "OK"
    End Function
    '~~~  End Private Functions  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Private Function GetUserInfoPINNameEmail( ByRef PINAD, ByRef CommonNameAD, ByRef EmailAddressAD )
     PINAD = "PIN"
     CommonNameAD = "Common Name"
     EmailAddressAD = "Email Address"

     Dim ADuserDN ' user's distinguished name string is returned ByRef from function GetADuserDN
     GetUserInfoPINNameEmail = GetADuserDN( ADuserDN )
     If ( GetUserInfoPINNameEmail <> "OK" ) Then Exit Function

     Dim ObjUserLDAP ' object to use to search with is returned ByRef from function OpenObjUserLDAP
     GetUserInfoPINNameEmail = OpenObjUserLDAP( ObjUserLDAP, ADuserDN )
     If ( GetUserInfoPINNameEmail <> "OK" ) Then Exit Function

     Dim FirstError
     FirstError = "OK"

     ' Function GetADval returns "OK" or some "error message" - the 1st param returns the requested value or "" if empty
     GetUserInfoPINNameEmail = GetADval( PINAD, ObjUserLDAP ) ' we MUST have the user's PIN
     If ( ( GetUserInfoPINNameEmail <> "OK" ) And ( FirstError = "OK" ) ) Then FirstError = PINAD & " : " & GetUserInfoPINNameEmail
     GetUserInfoPINNameEmail = GetADval( CommonNameAD, ObjUserLDAP ) ' user's name is optional
     'If ( ( GetUserInfoPINNameEmail <> "OK" ) And ( FirstError = "OK" ) ) Then FirstError = CommonNameAD & " : " & GetUserInfoPINNameEmail
     If ( GetUserInfoPINNameEmail <> "OK" ) Then CommonNameAD = ""
     GetUserInfoPINNameEmail = GetADval( EmailAddressAD, ObjUserLDAP ) ' user's email address is optional
     'If ( ( GetUserInfoPINNameEmail <> "OK" ) And ( FirstError = "OK" ) ) Then FirstError = EmailAddressAD & " : " & GetUserInfoPINNameEmail
     If ( GetUserInfoPINNameEmail <> "OK" ) Then EmailAddressAD = ""

     Set ObjUserLDAP = Nothing

     GetUserInfoPINNameEmail = FirstError ' return "OK" if PIN is found
    End Function
    %>

    <%
    Private Function FoundMemberInGroup( ByRef ADgroupAuth, ByVal ADUserPIN, ByVal UserGroup )
    ' ADUserPIN AND UserGroup will NEVER be "" here
     ADgroupAuth = "N/D"
     Dim ObjADUser

     On Error Resume Next

     Set ObjADUser = GetObject( "WinNT://CN.CA/" & UserGroup & ",Group" )
     If ( Err.Number <> 0 ) Then
      Set ObjADUser = Nothing
      FoundMemberInGroup = Err.Description
      FoundMemberInGroup = Replace( FoundMemberInGroup, "'", "" )
      FoundMemberInGroup = Replace( FoundMemberInGroup, VbCrLf, "" )
      FoundMemberInGroup = FoundMemberInGroup & " - User " & ADUserPIN & " group membership could not be determined (WinNT)."
      Exit Function
     End If

     Dim Found, Member
     Found = False

     For Each Member In ObjADUser.members
      If ( LCase( Member.Name ) = LCase( ADUserPIN ) ) Then
       Found = True
       Exit For  
      End If
     Next

     If ( Err.Number <> 0 ) Then
      Set ObjADUser = Nothing
      FoundMemberInGroup = Err.Description
      FoundMemberInGroup = Replace( FoundMemberInGroup, "'", "" )
      FoundMemberInGroup = Replace( FoundMemberInGroup, VbCrLf, "" )
      FoundMemberInGroup = FoundMemberInGroup & " - User " & ADUserPIN & " group membership could not be determined (ObjADUser.members)."
      Exit Function
     End If

     Set ObjADUser = Nothing

     ADgroupAuth = "NotMember"
     If ( Found = True ) Then ADgroupAuth = "IsMember"

     FoundMemberInGroup = "OK"
    End Function

    Dim AppRequest, AppStatus, UsrPIN, UsrName, UsrEmail, GroupAuth

    UsrPIN = "N/D"
    UsrName = "N/D"
    UsrEmail = "N/D" ' return user's email if found in AD - if not found return "" and user will type in his own email
    AppStatus = "Error in request" ' will be "OK" OR "some error message"
    GroupAuth = "N/D" ' will be "N/D", "NotMember" OR "IsMember"

    ' Promotion Request MAIN page calls this script by QUERYSTRING - "GET"
    AppRequest = Request.QueryString( "req" )
    ' Promotion Request IFRAME Existing and Scheduled and New forms call this script by FORM DATA - "POST"
    If ( AppRequest <> "pin" ) Then AppRequest = Request.Form ' the form data can ONLY only = "pin".

    If ( AppRequest = "pin" ) Then ' return UsrPIN ( and optional UsrName and UsrEmail if present ) and the AppStatus.
     AppStatus = GetUserInfoPINNameEmail( UsrPIN, UsrName, UsrEmail ) ' returns "OK" if PIN is found or "an error msg" if not
     
     If ( AppStatus = "OK" ) Then
      'Also return GroupAuth = whether user is part of the "Web-CNINET-Author" or "Web-promo-Author" AD groups that can promote ALL sites
      AppStatus = FoundMemberInGroup( GroupAuth, UsrPIN, "Web-CNINET-Author" ) ' returns "OK" ( no errors ) OR "some error msg"
      If ( ( AppStatus = "OK" ) And ( GroupAuth = "NotMember" ) ) Then AppStatus = FoundMemberInGroup( GroupAuth, UsrPIN, "Web-promo-Author" )
     End If
    End If

    'AppStatus returns "OK" OR some error message - GroupAuth returns "N/D", NotMember" OR "IsMember"
    Response.Write( "[{""pin"": """ & UsrPIN & """,""name"": """ & UsrName & """,""email"": """ & UsrEmail & """,""status"": """ & AppStatus & """,""groupauth"": """ & GroupAuth & """}]" )
    %>

    Wednesday, July 12, 2017 4:12 PM
  • THis code was written for a web server and will not run on any client.

    This line is only valid in ASP.

     Set ObjSysInfo = Server.CreateObject( "ADSystemInfo" )

    There are many other errors and holes in the code.  I don't think it actually runs anywhere.

    I recommend either contacting the author of the script for assistance or, since you are not a VBScript developer, switch to PowerShell.  VBScript is not a good way to do this and it is now deprecated for all new work.


    \_(ツ)_/

    Wednesday, July 12, 2017 4:20 PM
  • Unfortunately we're not able to answer questions about web server development in this forum (web server questions are outside this forum's scope).


    -- Bill Stewart [Bill_Stewart]

    Wednesday, July 12, 2017 4:48 PM
  • The issue requested will likely fail on the IIS web server available for Windows 10.  The ASP component is not loaded by default and W10 security will block many COM and ActiveX controls.

    The issue can be posted here: http://forums.iis.net which is the MS IIS site.   It is for IIS developers and can answer questions about ASP. 

    For security reasons you should not run ASP on a workstation without being very careful. Also the LDAP provider will not be able to connect to AD if you are trying to use impersonation.


    \_(ツ)_/

    Wednesday, July 12, 2017 5:08 PM
  • jrv Consultant, thank you for your response. Yes the code is written to run on our web server.
    I did find one hole in the logic that allowed me to stay on our development server instead of the app sending me to the prod server. Oher than that, the asp code has been running successful on our Windows2012 server for two years. If our client PCs were not migrating to Windows10 I would not touch the code. The author is gone and it is left to me to  correct the problem with the least amount of effort. The app and server  will be gone in 2018. We do have a PowerShell programmer around here, I'll contact him. Thanks again.
    Wednesday, July 12, 2017 8:26 PM
  • I think you need to understand that this is not an ASP forum or an IIS forum.  We also do not fix code left behind.  PowerShell will do you no good here.  You will need to find an ASP developer to help you with this as you are not a developer and clearly do not understand what the issues are.

    Save time and pain.   Hire a consultant.


    \_(ツ)_/

    Wednesday, July 12, 2017 8:30 PM
  • The Windows 10 support forum sent me to the Script forum and now I see from a reply by jrv Consultant that he is suggesting the MS IIS forum. I'll take both your suggestions and try the IIS forum.
    Wednesday, July 12, 2017 8:33 PM
  • I'm more confused.

    I thought the IIS webserver involved here is on the Windows 2012 R2 server. The client is on the Windows 10 platform running IE11. Does the client OS provide additional  client credentials to the Web server when the client requests the asp program be run? Something is different between the client windows 7 vs 10. They are both communicating with the same server. Bothe are using IE IE11.0.43  I expect this is a question for the MS IIS forum.  bye.

    Wednesday, July 12, 2017 8:49 PM
  • I repeat again -- this is not an IIS forum.  You will have to post in IIS forum or contact a consultant to help you sort this out.  So far nothing you have posted has explained what your issue is.

    IE on W10 is different and the IE client and W10 system must be set up according to the design of the web server.  That is not an issue for this forum.

    Without a trained consultant you will just continue going is circles.

    Posting here will not get you help as this is an administrative scripting forum and is not for deploying Windows 10 or for debugging ASP web applications.


    \_(ツ)_/

    Wednesday, July 12, 2017 9:04 PM
  • I agree with jrv that you will most likely need a consultant - someone who is familiar with both client-side and server-side scripting who can put eyes on your problem and help you troubleshoot it.

    -- Bill Stewart [Bill_Stewart]

    Wednesday, July 12, 2017 9:52 PM