RE: Secure Ldap call not working due to IUSR/IWAM permissions?

• Previous message: dave: "RE: Unknown Windows 2000 files?"
• Next in thread: Anders Reed Mohn: "RE: Secure Ldap call not working due to IUSR/IWAM permissions?"
• Maybe reply: Anders Reed Mohn: "RE: Secure Ldap call not working due to IUSR/IWAM permissions?"
• Maybe reply: Turner, Keith (Contractor): "RE: Secure Ldap call not working due to IUSR/IWAM permissions?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "dave" <dave@netmedic.net>
To: "'Turner, Keith (Contractor)'" <Keith.Turner@tea.army.mil>, <focus-ms@securityfocus.com>
Date: Fri, 31 Jan 2003 18:54:33 -0500

You mention server hardening.
What methods did you use for hardening?
Did you run IISLockdown?

There is obviously some access you took away during your "server hardening"
process, which is needed.

595 is a successful object access, and 560 is a successful object open, I am
not sure what the references to those are.

Dave

 
_____________________
Dave Kleiman
dave@netmedic.net
www.netmedic.net

-----Original Message-----
From: Turner, Keith (Contractor) [mailto:Keith.Turner@tea.army.mil]
Sent: Friday, January 31, 2003 13:33
To: focus-ms@securityfocus.com
Subject: Secure Ldap call not working due to IUSR/IWAM permissions?

I am trying to get LDAP working so that I can authenticate web users against
an iPlanet directory server. There appears to be something on the machine
which prevents IUSER or IWAM from making the LDAP call. My best guess is
that something which was done during server "hardening" is preventing this
from working. When using network monitor, I see that no packets are placed
on the network. I have enabled auditing for global system objects and it
does show audit failures when the LDAP call fails. I have used FileMon and
RegMon (sysinternals) to watch for file or registry failures, but none
showed up.

 There about 20 fails for each LDAP attempt, but there are only two unique
events

1) id 595
Indirect access to an object has been obtained
object type: port
object name: \RPC Control\DNSResolver
Accesses: Communicate using port

2) id 560
Object name: \Device\NetBT_Tcpip_{alphanumeric string}
Accesses: Synchronize, ReadData, WriteData

If I replace the hostname in the opendsobject call with the ip address, the
call makes it to the server (can see it in network monitor), but then fails.
I assume it is failing because the ip address doesn't match the hostname
provided in the SSL certificate. If I place the IUSR/IWAM accounts in the
local admin group, everything works properly (calling the directory server
by hostname). The error always occurs on this line of the asp file :
Set oContainer = oLDAP.OpenDSObject(Server & dnUserName, dnUserName,
sPassWord, 2)

Anyone have any ideas?
Thanks, Keith

• Next message: Ghost: "IIS Security using Integrated Windows Authentication"
• Previous message: dave: "RE: Unknown Windows 2000 files?"
• Next in thread: Anders Reed Mohn: "RE: Secure Ldap call not working due to IUSR/IWAM permissions?"
• Maybe reply: Anders Reed Mohn: "RE: Secure Ldap call not working due to IUSR/IWAM permissions?"
• Maybe reply: Turner, Keith (Contractor): "RE: Secure Ldap call not working due to IUSR/IWAM permissions?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]