Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error "800a00

I'm trying to troubleshoot an issue where users are not able to bind
with LDAP via "GetObject" through our ASP Classic Intranet if they
stay logged in overnight (beyond their allowed login hours). The
problem does not occur when performing the same bindings using a logon
script.

So, the user logs in, is able to perform queries all day, and then
fails to log out at the end of the day. We'd prefer that they did log
out nightly, but it happens...

The following morning they unlock their machine during allowed logon
hours and are unable to bind to Active Directory via our Intranet
until they log out / back in or perform a RunAs using their own
credentials.

Any idea what could be happening? We've got "Windows Integrated
Authentication" and "Basic Authentication" enabled, anonymous access
is disabled.

The Intranet has no problem authenticating them and recognizing their
username, but any attempts to bind via GetObject generate this error:

Microsoft VBScript runtime error '800a0046'

Permission denied: 'GetObject'

/auth_functions.asp, line 18

Thanks!

Re: Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error "80

You could run a script logging out all users each night


"aydeejay" wrote in message
news:1187726776.160730.251710@x40g2000prg.googlegroups.com.. .
> I'm trying to troubleshoot an issue where users are not able to bind
> with LDAP via "GetObject" through our ASP Classic Intranet if they
> stay logged in overnight (beyond their allowed login hours). The
> problem does not occur when performing the same bindings using a logon
> script.
>
> So, the user logs in, is able to perform queries all day, and then
> fails to log out at the end of the day. We'd prefer that they did log
> out nightly, but it happens...
>
> The following morning they unlock their machine during allowed logon
> hours and are unable to bind to Active Directory via our Intranet
> until they log out / back in or perform a RunAs using their own
> credentials.
>
> Any idea what could be happening? We've got "Windows Integrated
> Authentication" and "Basic Authentication" enabled, anonymous access
> is disabled.
>
> The Intranet has no problem authenticating them and recognizing their
> username, but any attempts to bind via GetObject generate this error:
>
> Microsoft VBScript runtime error '800a0046'
>
> Permission denied: 'GetObject'
>
> /auth_functions.asp, line 18
>
> Thanks!
>

Re: Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error "80

What I'm really looking for is some sort of explanation of what could
be happening -- we could certainly log everyone out as a workaround,
but there are certain users and machines, such as my own, where this
is undesirable.

As it turns out the problem does not involve logon hours, but it seems
to be contingent on how long they remain logged into the system.

This is definitely a Kerberos-related issue...if I stay logged in
overnight and run an ASP script that looks at authentication server
variables to determine the method of authentication being used, NTLM
is employed. If I log out and back into my machine, Kerberos is
employed.

This seems to be an issue involving Kerberos ticket renewal /
expiration, but I haven't read any similar accounts of this problem.

"klist tgt" generates this error under a "stale" login session (left
overnight):

Error calling function LsaCallAuthenticationPackage: 0
The operation completed successfully.
Substatus: 0x8009030e

Under a "fresh" login it works fine:

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: ajones
DomainName: xxx
TargetDomainName: xxx
AltTargetDomainName: xxx
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:804
StartTime: 8/23/2007 12:25:28
EndTime: 8/23/2007 21:00:00
RenewUntil: 8/23/2007 21:00:00
TimeSkew: 8/23/2007 21:00:00

On Aug 22, 9:48 am, "ThatsIT.net.au" wrote:
> You could run a script logging out all users each night
>
> "aydeejay" wrote in message
>
> news:1187726776.160730.251710@x40g2000prg.googlegroups.com.. .
>
>
>
> > I'm trying to troubleshoot an issue where users are not able to bind
> > with LDAP via "GetObject" through our ASP Classic Intranet if they
> > stay logged in overnight (beyond their allowed login hours). The
> > problem does not occur when performing the same bindings using a logon
> > script.
>
> > So, the user logs in, is able to perform queries all day, and then
> > fails to log out at the end of the day. We'd prefer that they did log
> > out nightly, but it happens...
>
> > The following morning they unlock their machine during allowed logon
> > hours and are unable to bind to Active Directory via our Intranet
> > until they log out / back in or perform a RunAs using their own
> > credentials.
>
> > Any idea what could be happening? We've got "Windows Integrated
> > Authentication" and "Basic Authentication" enabled, anonymous access
> > is disabled.
>
> > The Intranet has no problem authenticating them and recognizing their
> > username, but any attempts to bind via GetObject generate this error:
>
> > Microsoft VBScript runtime error '800a0046'
>
> > Permission denied: 'GetObject'
>
> > /auth_functions.asp, line 18
>
> > Thanks!- Hide quoted text -
>
> - Show quoted text -

Re: Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error "80

"aydeejay" wrote in message
news:1187893723.578871.288530@l22g2000prc.googlegroups.com.. .
> What I'm really looking for is some sort of explanation of what could
> be happening -- we could certainly log everyone out as a workaround,
> but there are certain users and machines, such as my own, where this
> is undesirable.
>
> As it turns out the problem does not involve logon hours, but it seems
> to be contingent on how long they remain logged into the system.
>
> This is definitely a Kerberos-related issue...if I stay logged in
> overnight and run an ASP script that looks at authentication server
> variables to determine the method of authentication being used, NTLM
> is employed. If I log out and back into my machine, Kerberos is
> employed.


It seem like some sort of expiry problem.


>
> This seems to be an issue involving Kerberos ticket renewal /
> expiration, but I haven't read any similar accounts of this problem.
>
> "klist tgt" generates this error under a "stale" login session (left
> overnight):

you may be able to change the life time of the ticket somewhere


>
> Error calling function LsaCallAuthenticationPackage: 0
> The operation completed successfully.
> Substatus: 0x8009030e
>
> Under a "fresh" login it works fine:
>
> Cached TGT:
>
> ServiceName: krbtgt
> TargetName: krbtgt
> FullServiceName: ajones
> DomainName: xxx
> TargetDomainName: xxx
> AltTargetDomainName: xxx
> TicketFlags: 0x40e00000
> KeyExpirationTime: 256/0/29920 0:103:804
> StartTime: 8/23/2007 12:25:28
> EndTime: 8/23/2007 21:00:00
> RenewUntil: 8/23/2007 21:00:00
> TimeSkew: 8/23/2007 21:00:00
>
> On Aug 22, 9:48 am, "ThatsIT.net.au" wrote:
>> You could run a script logging out all users each night
>>
>> "aydeejay" wrote in message
>>
>> news:1187726776.160730.251710@x40g2000prg.googlegroups.com.. .
>>
>>
>>
>> > I'm trying to troubleshoot an issue where users are not able to bind
>> > with LDAP via "GetObject" through our ASP Classic Intranet if they
>> > stay logged in overnight (beyond their allowed login hours). The
>> > problem does not occur when performing the same bindings using a logon
>> > script.
>>
>> > So, the user logs in, is able to perform queries all day, and then
>> > fails to log out at the end of the day. We'd prefer that they did log
>> > out nightly, but it happens...
>>
>> > The following morning they unlock their machine during allowed logon
>> > hours and are unable to bind to Active Directory via our Intranet
>> > until they log out / back in or perform a RunAs using their own
>> > credentials.
>>
>> > Any idea what could be happening? We've got "Windows Integrated
>> > Authentication" and "Basic Authentication" enabled, anonymous access
>> > is disabled.
>>
>> > The Intranet has no problem authenticating them and recognizing their
>> > username, but any attempts to bind via GetObject generate this error:
>>
>> > Microsoft VBScript runtime error '800a0046'
>>
>> > Permission denied: 'GetObject'
>>
>> > /auth_functions.asp, line 18
>>
>> > Thanks!- Hide quoted text -
>>
>> - Show quoted text -
>
>