Microsoft KB Archive/321315

= ADSI Does a Simple Bind When You Specify ADS_USE_SSL =

Article ID: 321315

Article Last Modified on 9/28/2007

-

APPLIES TO


 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q321315



SUMMARY
Active Directory Services Interface (ADSI) uses a simple bind when it specifies the ADS_USE_SSL flag during a bind to an object. A simple bind works by sending the user name and password over the connection. This is not a good idea on an unencrypted connection, because the credentials can be easily sniffed. On an SSL connection, SSL encryption protects the password. When a simple bind occurs, passing in NULL for the user name/password means that the credentials with which to bind are the anonymous user.

There is an important semantic difference between simple binds and secure/SSPI binds, such as Kerberos or NTLM. In NTLM, passing in NULL for the user name/password means &quot;authenticate with the default credentials (the user who is running the program)&quot;. With a simple bind, it means &quot;authenticate as the anonymous user&quot;.



MORE INFORMATION
As an example, in the following code a simple bind occurs because the ADS_USE_SSL flag is specified. The credentials that will be used are the Anonymous account's credentials. In this example, a query on a field that requires domain account credentials occurs. Because credentials are not provided, a default to the Anonymous account credentials occurs, and no records are found. Private Sub Command1_Click Dim cn As ADODB.Connection Dim cmd As ADODB.Command Dim rs As ADODB.Recordset Dim strLdapPort As String Dim strServerDomainName As String Dim strSamAccountName As String

'Bind to AD0 using OLE DB Provider for Microsoft Directory Services Set cn = New ADODB.Connection cn.Provider = &quot;ADsDSOObject&quot; cn.Properties(&quot;ADSI Flag&quot;) = ADS_SECURE_AUTHENTICATION Or ADS_USE_SSL cn.Properties(&quot;Page Size&quot;) = 99 cn.Open

'Create the command object to query AD   Set cmd = New ADODB.Command Set cmd.ActiveConnection = cn   cmd.CommandType = adCmdText

strServerDomainName = &quot;domain.com&quot; strSamAccountName = &quot;myname&quot; cmd.CommandText = &quot;Select AdsPath From 'LDAP://&quot; & _ strServerDomainName & &quot;' where objectClass='user' and & _ objectcategory='person'and SamAccountName='&quot; & _ strSamAccountName & &quot;'&quot;

'Create the record set for the command results Set rs = New ADODB.Recordset Set rs = cmd.Execute

If rs.EOF Then MsgBox (&quot;No records found&quot;) Else strADsPath = rs.Fields(&quot;AdsPath&quot;) MsgBox (&quot;strADsPath=&quot; & strADsPath) End If   rs.Close cn.Close Set cmd = Nothing Set rs = Nothing Set cn = Nothing End Sub You can modify this code to not use the &quot;ADSI Flags&quot; property, and instead complete a server bind that specifies that the SSL port (636) be used. Because the SSL port is specified, the traffic is encrypted by using SSL. The &quot;ADSI Flags&quot; are not specified, so ADSI automatically tries to bind by first using Kerberos or NTLM before an attempt to use basic authentication occurs. If you run this code while you are logged on to the domain, this code returns a recordset because the credentials that are being used would be either Kerberos or NTLM. Private Sub Command1_Click Dim cn As ADODB.Connection Dim cmd As ADODB.Command Dim rs As ADODB.Recordset Dim strLdapPort As String Dim strServerDomainName As String Dim strSamAccountName As String

'Bind to AD0 using OLE DB Provider for Microsoft Directory Services Set cn = New ADODB.Connection cn.Provider = &quot;ADsDSOObject&quot; ' Removed the line to set ADSI Flags automatically cn.Properties(&quot;Page Size&quot;) = 99 cn.Open

'Create the command object to query AD   Set cmd = New ADODB.Command Set cmd.ActiveConnection = cn   cmd.CommandType = adCmdText ' This next line has changed strServerDomainName = &quot;domain.com:636&quot; strSamAccountName = &quot;myname&quot;

'... Code continues unchanged from here.... For additional information about ADSI (including the Help file), please visit either of the following Microsoft Web sites.

ADSI Overview
http://msdn2.microsoft.com/library/aa772170.aspx

MSDN Search
http://search.microsoft.com/us/dev/default.asp

Keywords: kbdswadsi2003swept kbinfo KB321315

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.