Unable to perform GetObject("LDAP://...") bindings when logged in overnight (error '800a0046')

[aydeejay]

I'm trying to troubleshoot an issue where users are not able to bind
with LDAP via "GetObject" through our ASP Classic Intranet if they
stay logged in overnight (beyond their allowed login hours). The
problem does not occur when performing the same bindings using a logon
script.

So, the user logs in, is able to perform queries all day, and then
fails to log out at the end of the day. We'd prefer that they did log
out nightly, but it happens...

The following morning they unlock their machine during allowed logon
hours and are unable to bind to Active Directory via our Intranet
until they log out / back in or perform a RunAs using their own
credentials.

Any idea what could be happening? We've got "Windows Integrated
Authentication" and "Basic Authentication" enabled, anonymous access
is disabled.

The Intranet has no problem authenticating them and recognizing their
username, but any attempts to bind via GetObject generate this error:

Microsoft VBScript runtime error '800a0046'

Permission denied: 'GetObject'

/auth_functions.asp, line 18

Thanks!

 

[ThatsIT.net.au]

You could run a script logging out all users each night

 

[aydeejay]

What I'm really looking for is some sort of explanation of what could
be happening -- we could certainly log everyone out as a workaround,
but there are certain users and machines, such as my own, where this
is undesirable.

As it turns out the problem does not involve logon hours, but it seems
to be contingent on how long they remain logged into the system.

This is definitely a Kerberos-related issue...if I stay logged in
overnight and run an ASP script that looks at authentication server
variables to determine the method of authentication being used, NTLM
is employed. If I log out and back into my machine, Kerberos is
employed.

This seems to be an issue involving Kerberos ticket renewal /
expiration, but I haven't read any similar accounts of this problem.

"klist tgt" generates this error under a "stale" login session (left
overnight):

Error calling function LsaCallAuthenticationPackage: 0
The operation completed successfully.
Substatus: 0x8009030e

Under a "fresh" login it works fine:

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: ajones
DomainName: xxx
TargetDomainName: xxx
AltTargetDomainName: xxx
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:804
StartTime: 8/23/2007 12:25:28
EndTime: 8/23/2007 21:00:00
RenewUntil: 8/23/2007 21:00:00
TimeSkew: 8/23/2007 21:00:00

 

[ThatsIT.net.au]

What I'm really looking for is some sort of explanation of what could
be happening -- we could certainly log everyone out as a workaround,
but there are certain users and machines, such as my own, where this
is undesirable.

As it turns out the problem does not involve logon hours, but it seems
to be contingent on how long they remain logged into the system.

This is definitely a Kerberos-related issue...if I stay logged in
overnight and run an ASP script that looks at authentication server
variables to determine the method of authentication being used, NTLM
is employed. If I log out and back into my machine, Kerberos is
employed.

It seem like some sort of expiry problem.

This seems to be an issue involving Kerberos ticket renewal /
expiration, but I haven't read any similar accounts of this problem.

"klist tgt" generates this error under a "stale" login session (left
overnight):

you may be able to change the life time of the ticket somewhere