Part of a web site functionality is to enumerate Domain users. We used the NetUserEnum function and was working fine for long time in multiple sites.
Recently this function, in one of the sites, started to return only portion of the Domain users (512 out of around 1900).
We found strange observation that a full list returns correctly when we browse that same web-page on the web server itself! So the issue happens only when we browse it from other PCs.
The setup is:
IIS is running on Windows 2003. The web page is an ASP and configured for "Windows Aut hentication" only. This server as well as all other users PC's on the network is part of the same Domain. So the users won't get the login prompt when browsing this web page because they are already authenticated when they logged into their Domain account.
The ASP web page calls a COM object function to returns the users list. The COM function simply calls:
nRetVal=NetGetDCName(NULL,bsDomain,(LPBYTE*)&bsBuf);
nStatus = NetUserEnum(bsBuf,0,FILTER_NORMAL_ACCOUNT,(LPBYTE*)&lpBuf,MAX_PREFERRED_LENGTH, &dwEntriesRead,&dwTotalEntries,&dwResumeHandle);
From the logs:
The bsDomain and bsBuf always remain getting the same value as expected. Also the nStatus always returns ERROR_SUCCESS. So it is strange to get only portion of the users (without any error or even a ERROR_MORE_DATA).
My understanding is that when the ASP is configured for "Windows Authentication", then it will run under the privileges of the user calling that web-page. Also there must be no difference between browsing the web-page from the same server or from another PC.
Please to advice where to troubleshoot.
Note: The site has multiple domain controllers with AD replication between them. Not sure if this would be in relevant.