Microsoft KB Archive/817583

= Active Directory Services does not request secure authorization over an SSL connection =

Article ID: 817583

Article Last Modified on 8/29/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition

-





SYMPTOMS
While you are using a program that uses ADSI to communicate to any Lightweight Directory Access Protocol (LDAP) server that is listening on a port other than the SSL port 636, one of the following symptoms may occur:
 * The program cannot bind to the LDAP server by using the ADS_USE_SSL/ADS_USE_ENCRYPTION options in the ADSOpenObject method.
 * The program cannot set or change the password even if it binds by using the ADS_SECURE_AUTHENTICATION option.

Also, your program cannot access security descriptors for objects by using ADSI calls if all the trustees are irresolvable from the Security Identifier (SID) to the display name. A trustee is a user, group, SID, or other security principal. Also, the program will not bind by using the Windows security principal to ADAM over the SSL with the ADS_SECURE_AUTHENTICATION option.

If a bind is tried by using both the ADS_SECURE_AUTHENTICATION and ADS_USE_SSL flags, the client will perform only the secure authentication and will not try to perform a simple bind with SSL.



CAUSE
This problem occurs because ADSI is restricted to SSL port number 636 when it makes a bind call to the LDAP server. Also, ADSI does not handle cases where all the trustees are irresolvable. When ADSI calls to bind to ADAM by using a Windows security principal over a SSL connection with the ADS_SECURE_AUTHENTICATION option, ADSI then uses a simple bind call instead of a secure bind call.



Microsoft Windows Server 2003
This problem was corrected in Windows Server 2003.

Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Version        Size     File name -  28-Mar-2003  5.1.2600.1193  184,320  Activeds.dll 28-Mar-2003 5.1.2600.1193  161,792  Adsldp.dll 28-Mar-2003 5.1.2600.1193  137,216  Adsldpc.dll 28-Mar-2003 5.1.2600.1193   62,976  Adsmsext.dll

Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Microsoft Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version           Size     File name --  26-May-2003  04:57  5.0.2195.6748     182,544  Activeds.dll 26-May-2003 04:57  5.0.2195.6748     124,688  Adsldp.dll 26-May-2003 04:57  5.0.2195.6748     132,368  Adsldpc.dll 26-May-2003 04:57  5.0.2195.6748      63,760  Adsmsext.dll 26-May-2003 04:57  5.0.2195.6743     381,200  Advapi32.dll 26-May-2003 04:57  5.0.2195.6693      68,880  Browser.dll 26-May-2003 04:57  5.0.2195.6680     134,928  Dnsapi.dll 26-May-2003 04:57  5.0.2195.6663      92,432  Dnsrslvr.dll 26-May-2003 04:57  5.0.2195.6700      47,376  Eventlog.dll 26-May-2003 04:57  5.0.2195.6747     148,240  Kdcsvc.dll 20-May-2003 03:49  5.0.2195.6747     205,072  Kerberos.dll 26-Mar-2003 06:37  5.0.2195.6695      71,888  Ksecdd.sys 04-Apr-2003 09:11  5.0.2195.6695     518,928  Lsasrv.dll 26-Mar-2003 06:37  5.0.2195.6695      33,552  Lsass.exe 04-Apr-2003 09:12  5.0.2195.6680     117,520  Msv1_0.dll 26-May-2003 04:57  5.0.2195.6601     311,568  Netapi32.dll 26-May-2003 04:57  5.0.2195.6695     371,984  Netlogon.dll 26-May-2003 04:57  5.0.2195.6697   1,040,144  Ntdsa.dll 26-May-2003 04:57  5.0.2195.6742     392,464  Samsrv.dll 26-May-2003 04:57  5.0.2195.6737     131,344  Scecli.dll 26-May-2003 04:57  5.0.2195.6737     306,448  Scesrv.dll 21-May-2003 03:47  5.0.2195.6746   4,554,240  Sp3res.dll 26-May-2003 04:57  5.0.2195.6601      51,472  W32time.dll 15-Aug-2002 22:32  5.0.2195.6601      57,104  W32tm.exe 26-May-2003 04:57  5.0.2195.6741     126,224  Wldap32.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
This hotfix resolves ADSI problems that are related to the SSL, security descriptors, and SSL binding to Active Directory in Application Mode (ADAM).

Keywords: kbhotfixserver kbqfe kbwinxpsp2fix kbprb kbenv kbqfe kbwinxppresp2fix kbfix kbbug KB817583

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.