AD GetObject fails in ASP page when using smartcard logon

07-09-2005, 10:54 PM

I am having problems accessing Active Directory from VBscript in an ASP web
application when it is configured for smartcards using Directory Service
certificate mapping. The system scenario is as follows.

Server 1 - W2K3 Server as Domain Controller with Active Directory
Server 2 - W2K3 Server running IIS 6.0 and Exchange 2K3 Server
Client 1 - W2K3 Server as client with CAC smartcard and IE 6

IIS is configured for Directory Service mapping, SSL, "Enable client
certificate mapping" and Accept Client certificate.

The client uses a CAC smartcard to logon and invokes a Web application on
Server 2 via IE 6.

Web app on Server 2 loads ASP page using VBScript to call
GetObject("LDAP://CN=client1,CN=Users,DC=SERVER1,DC=COM") on User object to
retrieve user attributes.

GetObject fails with Err.Number = -2147016672 (0x80072020 -

In IIS Mgr properties for web app Virtual Directory, select Security/Edit
and uncheck "Enable client certificate mapping".

Now the user is prompted for username and password and GetObject succeeds.

Does anybody have any ideas?

PS I am told that if IIS cert mapping is used instead of DS mapping, it
works OK.


AD GetObject fails in ASP page when using smartcard logon