PRB: Active User Object (AUO) for Session State Not Working with Cookie Authentication

ID: Q222141

The information in this article applies to:

Microsoft Site Server version 3.0

SYMPTOMS

When a client authenticated via Automatic Cookie Authentication accesses a page that uses an AUO provider configured to write to the ou=Dynamic contain, you may encounter the following error:

Membership.UserObjects error '80020009'
An error occurred in loading the container in which the user object is created.

CAUSE

When authenticating anonymous users, AUO attempts to create a sub-contaner named ou=AnonymousUsers. In this scenario, the container it is attempting to create a sub-container in (ou=Dynamic) is designated for Dynamic Objects only. A container designated for Dynamic Objects is marked with the containsDynamicOnly attribute so it cannot contain anything but dynamic objects.

RESOLUTION

The configuration of the AUO provider should be modified so that AUO will not attempt to create a sub-container for objects associated with cookie authenticated clients. To do this, you must reconfigure the path suffix of the AUO provider to use the specific user property that is used for naming the object, typically the cn attribute. You can accomplish this by doing the following:

Open the Microsoft Management Console (MMC) and select the Personalization and Membership snap-in.

Open the properties for the Membership Server instance you're using on your Web site.

Select the Active User Object (AUO) Properties tab and open the properties for the AUO provider you're using for dynamic object creation.

Modify the Build Active Directory Services (ADS) path field to read the following:
```
<server>:<port>/o=<realm>/ou=Dynamic/cn= 
```

From the Path Suffix group, select User Property and insert "cn" (without the quotation marks) in the Property field.

Select OK from the AUO provider properties sheet, then click OK from the Membership instance's property sheet, and you should now be able to create dynamic objects for anonymous users.

STATUS

This behavior is by design.

MORE INFORMATION

To keep dynamic objects from being written to disk, the container for the object must be marked with the "containsDynamicOnly" flag. This is explained in the following article in the Microsoft Knowledge Base:

Q194720 Dynamic Data is Written to Disk

An alternative to creating a container and marking it with the "containsDynamicOnly" flag is to use the existing ou=Dynamic container. If ou=Dynamic is used, dynamic objects in use will not be visible via the MMC.

Instructions exist that, when combined with the above information, will produce a configuration for handling dynamic objects that will be incompatible with cookie authenticated users. The following AUO configuration is responsible for this:

In the AUO configuration dialog box:


Build Active Directory Services (ADS) path<BR/>
&lt;server&gt;:&lt;port&gt;/o=&lt;realm&gt;/ou=SessionStateData<BR/>

Path suffix:
x User name

Under this configuration, AUO will attempt to create a sub-container (AnonymousUsers) under ou=SessionStateData for anonymous (cookie authenticated) users. This configuration can be adjusted to work with cookie authenticated users and others. The following configuration will perform correctly:
In the AUO configuration dialog box:


Build Active Directory Services (ADS) path
&lt;server&gt;:&lt;port&gt;/o=&lt;realm&gt;/ou=SessionStateData/cn=

Path suffix:
x User property

Property: cn

In this case, dynamic objects for all users will be kept in the SessionStateData container.

REFERENCES

Using the Membership Directory and Active User Object (AUO) for Session State Data

Q194720 Dynamic Data is Written to Disk

Additional query words:


Keywords          : prodsitesrv3 
Version           : winnt:3.0
Platform          : winnt 
Issue type        : kbprb

Last Reviewed: March 26, 1999