Microsoft KB Archive/308149

= PRB: Authentication Fails When You Log On As Current User by Using ADSI over SSL =

Article ID: 308149

Article Last Modified on 2/12/2004

-

APPLIES TO


 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q308149



SYMPTOMS
When you use Active Directory Services Interfaces (ADSI) over a Secure Sockets Layer (SSL) connection to access a Lightweight Directory Access Protocol (LDAP) directory as the currently logged on user, you may find that the Active Directory Services path (ADsPath) used cannot be found or that you do not have the appropriate permissions to view the object.



CAUSE
By default, anonymous users are not given permissions to view objects in the Active Directory.

The symptoms described earlier are caused, in part, because ADSI is designed to use simple binds when using SSL. Simple binds convey a user name and password in clear text across the network. This is not recommended because this traffic can be monitored by a malicious user. When you use an SSL connection, the network traffic is encrypted and the username and password are protected. Therefore, using simple binds over SSL is an acceptable method.

From an ADSI perspective, there is an important semantic difference between simple binds and binds that use Security Service Provider Interface (SSPI); for example, Kerberos or NTLM. In SSPI binds, you pass a NULL value for the user name and password. The result is a negotiated bind that uses the security credentials that are making the bind. With a simple bind, however, when you pass NULL credentials, you instruct ADSI to use the anonymous user credentials.

ADSI performs simple binds when a secure socket is requested. Those binds that pass NULL credentials result in an anonymous bind being performed over the secure socket connection.

The error is generated because the anonymous user does not typically have sufficient rights to view directory objects.



RESOLUTION
Instead of requesting an SSL connection through the use of the ADS_USE_SSL flag, append :636 to the server in the ADsPath of the object. The port is passed directly to the LDAP layer, which recognizes the port as the default SSL port and performs an SSL connection.



STATUS
This behavior is by design. The design is being reviewed for later versions of ADSI.

