LDAP_ANONYMOUS Uses the Guest Account as a Template (305082)

SYMPTOMS

If you have installed Site Server 3.0 Service Pack 4 (SP4), when you attempt to start the Site Server LDAP Service (LDAPSVC) and the local guest account has been locked out by policies, you may see the following errors in the application event log:

Event Type: Error
Event Source: LDAPSVC
Event Category: None
Event ID: 481
Description:
Site Server LDAP Service cannot initialize the following object:
GetLastError()=87 : Init LdapExtension.

Event Type: Error
Event Source: LDAPSVC
Event Category: None
Event ID: 2500
Description:
The server failed to start due to an initialization error. Verify the configuration. Error description is: GetLastError()=1909 : LogonUser for Anonymous users.

GetLastError()=1909 maps to "The referenced account is currently locked out and may not be logged on to." In this case, the referenced account is the LDAP_ANONYMOUS user account. You may also see an associated event in the security event log.

CAUSE

In Site Server 3.0 SP4 and later, the LDAP_ANONYMOUS account is recreated each time LDAPSVC is started. When the local account is recreated, it uses the guest account as a template. The LDAP_ANONYMOUS account has the same settings as that of the guest account; however, the account is not disabled even if the guest account is disabled.

MORE INFORMATION

Prior to SP4 for Site Server 3.0, the LDAP_ANONYMOUS user account password is exposed in the registry in plain text. The LDAP_ANONYMOUS is the default Personalization and Membership anonymous user account that is created as a local Microsoft Windows NT account for anonymous access to Membership Directory.

For additional information on this issue, click the article number below to view the article in the Microsoft Knowledge Base:

248840 Possible Security Problem in LDAP_ANONYMOUS Account

LDAP_ANONYMOUS Uses the Guest Account as a Template (305082)

SYMPTOMS

CAUSE

RESOLUTION

STATUS

MORE INFORMATION