Microsoft KB Archive/222141

= PRB: Active User Object (AUO) for Session State Not Working with Cookie Authentication =

Article ID: 222141

Article Last Modified on 9/5/2006

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q222141



SYMPTOMS
When a client authenticated via Automatic Cookie Authentication accesses a page that uses an AUO provider configured to write to the ou=Dynamic contain, you may encounter the following error:

Membership.UserObjects error '80020009'

An error occurred in loading the container in which the user object is created.



CAUSE
When authenticating anonymous users, AUO attempts to create a sub-contaner named ou=AnonymousUsers. In this scenario, the container it is attempting to create a sub-container in (ou=Dynamic) is designated for Dynamic Objects only. A container designated for Dynamic Objects is marked with the containsDynamicOnly attribute so it cannot contain anything but dynamic objects.



RESOLUTION
The configuration of the AUO provider should be modified so that AUO will not attempt to create a sub-container for objects associated with cookie authenticated clients. To do this, you must reconfigure the path suffix of the AUO provider to use the specific user property that is used for naming the object, typically the cn attribute. You can accomplish this by doing the following:  Open the Microsoft Management Console (MMC) and select the Personalization and Membership snap-in. Open the properties for the Membership Server instance you're using on your Web site. Select the Active User Object (AUO) Properties tab and open the properties for the AUO provider you're using for dynamic object creation.  Modify the Build Active Directory Services (ADS) path field to read the following:

 From the Path Suffix group, select User Property and insert "cn" (without the quotation marks) in the Property field. Select OK from the AUO provider properties sheet, then click OK from the Membership instance's property sheet, and you should now be able to create dynamic objects for anonymous users.</li></ol>

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

MORE INFORMATION
To keep dynamic objects from being written to disk, the container for the object must be marked with the "containsDynamicOnly" flag.

Dynamic Data is Written to Disk

An alternative to creating a container and marking it with the "containsDynamicOnly" flag is to use the existing ou=Dynamic container. If ou=Dynamic is used, dynamic objects in use will not be visible via the MMC.

Instructions exist that, when combined with the above information, will produce a configuration for handling dynamic objects that will be incompatible with cookie authenticated users. The following AUO configuration is responsible for this:

In the AUO configuration dialog box:

<pre class="fixed_text">Build Active Directory Services (ADS) path<BR/> : /o= /ou=SessionStateData<BR/>

Path suffix: x User name

Under this configuration, AUO will attempt to create a sub-container (AnonymousUsers) under ou=SessionStateData for anonymous (cookie authenticated) users. This configuration can be adjusted to work with cookie authenticated users and others. The following configuration will perform correctly:

In the AUO configuration dialog box:

<pre class="fixed_text">Build Active Directory Services (ADS) path : /o= /ou=SessionStateData/cn=

Path suffix: x User property

Property: cn

In this case, dynamic objects for all users will be kept in the SessionStateData container.

<div class="references_section">