Re: anonymous LDAP access with 2003 server

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Richard Sweetnam (rsweetnam_at_ms.nospam.cs.co.za)
Date: 04/23/04

Next message: Richard Sweetnam: "Re: 98SE clients can't access shares on 2003 Server"
Previous message: Richard Sweetnam: "Re: AD Error : Directory Service cannot start. Error Status:0xC00002e1"
In reply to: news.microsoft.com: "anonymous LDAP access with 2003 server"
Next in thread: msft: "Re: anonymous LDAP access with 2003 server"
Reply: msft: "Re: anonymous LDAP access with 2003 server"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 23 Apr 2004 19:48:22 +0200

In the past windows 2000 gave the Everyone group Read access to the LDAP
database. Anonymous Access has now been removed from the everyone group

You will have to allow anonymous users access to the server by granting this
right on the "Access this computer from the network" right in the local
security policy, however this creates a problem. Domain controllers security
policies are controlled by the "Default Domain Controller" policy, which
means if you wnat this change on one it will apply to all creating a
security hole.

If possible I would reccomend that the query be done from another source
that caters for anonymous access, e.g. an IIS server. That way the front end
will allow for anonymous access and the backend can use a domain account to
access LDAP

Hope this helps,
Richard

"news.microsoft.com" <patrickj@REMOVE.acponline.org> wrote in message
news:#ysE98TKEHA.3944@tk2msftngp13.phx.gbl...
> Could someone please explain how to enable anonymous LDAP access to AD
with
> 2003 server. I got this working a few years ago with 2000 server, but am
> unable to get it to work with 2003. I followed kb #326690 and set
> dsHeuristics to 0000002 and also attempted to set security permissions to
> allow anonymous access to the objects, but still cant seem to get it to
work
> properly.
>
> What permissions need to be set for anonymous read/list access to LDAP and
> where do they need to be set.
>
> Must I use the global catalog port 3268 or can I use 389 for LDAP lookups?
>
> Thanks
>
>

Next message: Richard Sweetnam: "Re: 98SE clients can't access shares on 2003 Server"
Previous message: Richard Sweetnam: "Re: AD Error : Directory Service cannot start. Error Status:0xC00002e1"
In reply to: news.microsoft.com: "anonymous LDAP access with 2003 server"
Next in thread: msft: "Re: anonymous LDAP access with 2003 server"
Reply: msft: "Re: anonymous LDAP access with 2003 server"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: AD Security ?
... LDAP NULL base is called RootDSE. ... If your other naming contexts were wide open to anonymous access I would be ... > I'm looking for information on tightening security on the active> directory. ...
(microsoft.public.win2000.security)
Widnows Authentication
... I use windows authentication in my ASP.Net application. ... anonymous access for my web site in IIS. ... wherein i can enter the correct userid and ... How can I get the LDAP ...
(microsoft.public.dotnet.framework.aspnet)
Re: Widnows Authentication
... Not sure how that will work with LDAP server (never had that situation ... > I use windows authentication in my ASP.Net application. ... > anonymous access for my web site in IIS. ... > dialog box, wherein i can enter the correct userid and ...
(microsoft.public.dotnet.framework.aspnet)
Re: User ASPNET in SQL Server 2000
... and turn off anonymous access. ... a logon box will pop up if the user cannot ... >While I love integrated security in SQL Server, ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: WCF and Integrated Windows Authentication
... anonymous access in IIS. ... should be used as the security identity when your ASP.NET web app calling ... you can try explicitly specify a client credentials (when calling the WCF ... You can send feedback directly to my manager at: ...
(microsoft.public.dotnet.framework.aspnet.webservices)