After following Microsoft's advice (and the advice of security experts), we removed "Everyone" from Pre-Windows 2000 Compatible Access in Active directory. This caused the Snitz application to fail with an "internal server error 500".
Subsequent debugging isolated the problem to the following line in the NTAuthenticate() subroutine in the inc_functions.asp file:
Set strNTUserInfo = GetObject("WinNT://"+strNTUser)
IIS is unable to make this call if anonymous access is removed as described above, and therefore we must choose between a secure infrastructure or a functional Snitz application.
For clarification - we received this error when the GetObject function attempted to instantiate the WinNT object in this code: Set strNTUserInfo = GetObject("WinNT://"+strNTUser)
A little more info for you...we went from a Mixed domain to a Native Domain and removed "everyone" from the permissions. It is our opinion that Snitz would not have been successful if we would have started out in Native domain.
You still haven't said exactly what error. The only error you have said is internal server error, which if you turn off 'show friendly error messages' in IE, you will get the VBScript error code and description.
By default is not the IUSR_XXXX account placed into the guest group? and that had same access as members in the users group. Except for the guest account which has further restrictions.
My job is a very big MS site and one of the bigest MS-SMS sites. They still have Everyone
If you removed "everyone" then you might have to find the account the server is using to get the info from the domain and set it up so it has access.
Topic Locked
Posted - 26 August 2002 : 15:37:45
