Re: Enabling anonymous ldap in server 2003

From: Marin Marinov (mlmarinov_at_askme.ca)
Date: 07/04/04 

Date: Sun, 4 Jul 2004 18:17:13 -0400

In article <eWsr$ODYEHA.3112@tk2msftngp13.phx.gbl>, aaron@fake.net
says...
> I am doing a test upgrade for my domain 2k--->2k3. The problem that I am
> having is all of our RAS servers are still NT with no current plans to
> upgrade soon. In the test environment the upgraded 2k3 domain controllers
> would not authenticate users for the NT 4.0 machines, after several failed
> searches for a fix I found out that it was a problem with the LDAP
> connections, for the NT machines to talk to the 2k3 machines anonymous ldap
> has to be enabled, so I got on the MS site and found
> http://support.microsoft.com/?id=326690
>
> ....but I cannot get the command to run successfully, I am trying to add the
> dSHeuristics attribute with 0000002 so my remote users can authenticate, but
> I am getting the following error:
>
> Error: Add: Object Class Violation. <65>
>
> any ideas?
>
> tia,
>
> aaron

Aaron, forget about tampering with anonymous LDAP - you don't need it in
this case and it's a huuuge security hole. The issue with NT 4.0 RRAS is
that it tries to check if the user has dial-in permission by using a
null session,i.e. with anonymous credentials which doesn't work in the
higher security mode. In this case, you must add the Everyone and
Anonymous logon to the Pre-Windows 2000 Compatible Access group on the
Win2K3 DCs:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
net localgroup "Anonymous logon" everyone /add

HOW TO: Add Users to the Pre-Windows 2000 Compatible Access Group in
Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;325363

Enable Windows NT 4.0-Based RAS Servers in a Windows 2000-Based Domain
http://support.microsoft.com/default.aspx?scid=kb;EN-US;254311

Note that you must add the Anonymous logon explicitly since it's no
longer a member of Everyone in Win2K3 as opposed to Win2K.

HTH 

-- 
Cheers,
   Marin Marinov
   MCT, MCSE 2003/2000/NT4.0,
   MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no 
rights.
"True knowledge exists in knowing that you know nothing."
Socrates

Relevant Pages

  • RE: Access a remote MSMQ Server from and ASP page (Q173339)
    ... Even you have set "ANONYMOUS LOGON" with all access priviliges, ... to MSMQ will still failed due to WIndows NT ACL. ... The anonymous user may not ...
    (microsoft.public.inetserver.asp.general)
  • VMS as NFS client - solved!!!!! (almost)
    ... The problem turns out to be a Windows problem - maybe; more on the what or why soon. ... Out of the mist came the memory of Windows Everyone not *really* being everyone, so I also added ANONYMOUS LOGON to the Windows file/folder protection list entries with full access - and - VOILA!! ... Now for the weirdness, using the ANONYMOUS LOGON entry in the Windows file/folder protection makes some sort of sense when you think about it (VMS is using anonymous access to get to NFS), but why don't Linux/UNIX clients need it on to work? ...
    (comp.os.vms)
  • RE: Security event log "Logon/Logoff - Anonymous Logon"
    ... 'Anonymous Logon' is one of the built-in security groups on Wndows XP Pro ... and Home Editions. ... Starting in Windows XP the ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Two problems, not sure if they are related...
    ... Anonymous logon means that it is a null session. ... User connections should never come in under ... Securing Your Windows Small Business Server 2003 Network ...
    (microsoft.public.windows.server.sbs)
  • RE: Event Viewer
    ... If this is Windows XP and you are using the in-box defualt sharing, ... >Looking in security in my event viewer I notice an anonymous logon. ...
    (microsoft.public.windowsxp.security_admin)