RE: Secure Ldap call not working due to IUSR/IWAM permissions?

You mention server hardening.
What methods did you use for hardening?
Did you run IISLockdown?

There is obviously some access you took away during your "server hardening" process, which is needed.

595 is a successful object access, and 560 is a successful object open, I am not sure what the references to those are.

Dave  

-----Original Message-----
From: Turner, Keith (Contractor) [mailto:Keith.Turner@tea.army.mil] Sent: Friday, January 31, 2003 13:33
To: focus-ms@securityfocus.com
Subject: Secure Ldap call not working due to IUSR/IWAM permissions?

I am trying to get LDAP working so that I can authenticate web users against an iPlanet directory server. There appears to be something on the machine which prevents IUSER or IWAM from making the LDAP call. My best guess is that something which was done during server "hardening" is preventing this from working. When using network monitor, I see that no packets are placed on the network. I have enabled auditing for global system objects and it does show audit failures when the LDAP call fails. I have used FileMon and RegMon (sysinternals) to watch for file or registry failures, but none showed up.

 There about 20 fails for each LDAP attempt, but there are only two unique events

1. id 595 Indirect access to an object has been obtained object type: port object name: \RPC Control\DNSResolver Accesses: Communicate using port
2. id 560 Object name: \Device\NetBT_Tcpip_{alphanumeric string} Accesses: Synchronize, ReadData, WriteData

If I replace the hostname in the opendsobject call with the ip address, the call makes it to the server (can see it in network monitor), but then fails. I assume it is failing because the ip address doesn't match the hostname provided in the SSL certificate. If I place the IUSR/IWAM accounts in the local admin group, everything works properly (calling the directory server by hostname). The error always occurs on this line of the asp file : Set oContainer = oLDAP.OpenDSObject(Server & dnUserName, dnUserName, sPassWord, 2)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Anyone have any ideas?
Thanks, Keith Received on Mon Feb 3 11:32:13 2003