PRB: Authentication Fails When You Log On As Current User by Using ADSI over SSL (308149)



The information in this article applies to:

  • Microsoft Active Directory Services Interface, Microsoft Active Directory Client
  • Microsoft Active Directory Service Interfaces 2.5
  • Microsoft Active Directory Services Interface, System Component

This article was previously published under Q308149

SYMPTOMS

When you use Active Directory Services Interfaces (ADSI) over a Secure Sockets Layer (SSL) connection to access a Lightweight Directory Access Protocol (LDAP) directory as the currently logged on user, you may find that the Active Directory Services path (ADsPath) used cannot be found or that you do not have the appropriate permissions to view the object.

CAUSE

By default, anonymous users are not given permissions to view objects in the Active Directory.

The symptoms described earlier are caused, in part, because ADSI is designed to use simple binds when using SSL. Simple binds convey a user name and password in clear text across the network. This is not recommended because this traffic can be monitored by a malicious user. When you use an SSL connection, the network traffic is encrypted and the username and password are protected. Therefore, using simple binds over SSL is an acceptable method.

From an ADSI perspective, there is an important semantic difference between simple binds and binds that use Security Service Provider Interface (SSPI); for example, Kerberos or NTLM. In SSPI binds, you pass a NULL value for the user name and password. The result is a negotiated bind that uses the security credentials that are making the bind. With a simple bind, however, when you pass NULL credentials, you instruct ADSI to use the anonymous user credentials.

ADSI performs simple binds when a secure socket is requested. Those binds that pass NULL credentials result in an anonymous bind being performed over the secure socket connection.

The error is generated because the anonymous user does not typically have sufficient rights to view directory objects.

RESOLUTION

Instead of requesting an SSL connection through the use of the ADS_USE_SSL flag, append :636 to the server in the ADsPath of the object. The port is passed directly to the LDAP layer, which recognizes the port as the default SSL port and performs an SSL connection.

STATUS

This behavior is by design. The design is being reviewed for later versions of ADSI.

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

187529 HOWTO: Use ADO to Access Objects Through an ADSI LDAP Provider


Modification Type:MajorLast Reviewed:2/12/2004
Keywords:kbDSWADSI2003Swept kbprb KB308149 kbAudDeveloper