ADSI Does a Simple Bind When You Specify ADS_USE_SSL (321315)


The information in this article applies to:

  • Microsoft Active Directory Services Interface, Microsoft Active Directory Client
  • Microsoft Active Directory Services Interface, System Component
This article was previously published under Q321315

SUMMARY

Active Directory Services Interface (ADSI) uses a simple bind when it specifies the ADS_USE_SSL flag during a bind to an object. A simple bind works by sending the user name and password over the connection. This is not a good idea on an unencrypted connection, because the credentials can be easily sniffed. On an SSL connection, SSL encryption protects the password. When a simple bind occurs, passing in NULL for the user name/password means that the credentials with which to bind are the anonymous user.

There is an important semantic difference between simple binds and secure/SSPI binds, such as Kerberos or NTLM. In NTLM, passing in NULL for the user name/password means "authenticate with the default credentials (the user who is running the program)". With a simple bind, it means "authenticate as the anonymous user".

MORE INFORMATION

As an example, in the following code a simple bind occurs because the ADS_USE_SSL flag is specified. The credentials that will be used are the Anonymous account's credentials. In this example, a query on a field that requires domain account credentials occurs. Because credentials are not provided, a default to the Anonymous account credentials occurs, and no records are found. 
Private Sub Command1_Click()
    Dim cn As ADODB.Connection
    Dim cmd As ADODB.Command
    Dim rs As ADODB.Recordset
    Dim strLdapPort As String
    Dim strServerDomainName As String
    Dim strSamAccountName As String
    

    'Bind to AD0 using OLE DB Provider for Microsoft Directory Services
    Set cn = New ADODB.Connection
    cn.Provider = "ADsDSOObject"
    cn.Properties("ADSI Flag") = ADS_SECURE_AUTHENTICATION Or ADS_USE_SSL
    cn.Properties("Page Size") = 99
    cn.Open

    'Create the command object to query AD
    Set cmd = New ADODB.Command
    Set cmd.ActiveConnection = cn
    cmd.CommandType = adCmdText

    strServerDomainName = "domain.com"
    strSamAccountName = "myname"
    cmd.CommandText = "Select AdsPath From 'LDAP://" & _
        strServerDomainName & "' where objectClass='user' and & _
        objectcategory='person'and SamAccountName='" & _
        strSamAccountName & "'"

    'Create the record set for the command results
    Set rs = New ADODB.Recordset
    Set rs = cmd.Execute

    If rs.EOF Then
        MsgBox ("No records found")
    Else
        strADsPath = rs.Fields("AdsPath")
        MsgBox ("strADsPath=" & strADsPath)
    End If
    rs.Close
    cn.Close    
    Set cmd = Nothing
    Set rs = Nothing
    Set cn = Nothing
End Sub
You can modify this code to not use the "ADSI Flags" property, and instead complete a server bind that specifies that the SSL port (636) be used. Because the SSL port is specified, the traffic is encrypted by using SSL. The "ADSI Flags" are not specified, so ADSI automatically tries to bind by first using Kerberos or NTLM before an attempt to use basic authentication occurs. If you run this code while you are logged on to the domain, this code returns a recordset because the credentials that are being used would be either Kerberos or NTLM. 
Private Sub Command1_Click()
    Dim cn As ADODB.Connection
    Dim cmd As ADODB.Command
    Dim rs As ADODB.Recordset
    Dim strLdapPort As String
    Dim strServerDomainName As String
    Dim strSamAccountName As String
    

    'Bind to AD0 using OLE DB Provider for Microsoft Directory Services
    Set cn = New ADODB.Connection
    cn.Provider = "ADsDSOObject"
    ' Removed the line to set ADSI Flags automatically
    cn.Properties("Page Size") = 99
    cn.Open

    'Create the command object to query AD
    Set cmd = New ADODB.Command
    Set cmd.ActiveConnection = cn
    cmd.CommandType = adCmdText
    ' This next line has changed
    strServerDomainName = "domain.com:636"
    strSamAccountName = "myname"<BR/>

    '... Code continues unchanged from here....
For additional information about ADSI (including the Help file), please visit either of the following Microsoft Web sites.

ADSI Overview

http://www.microsoft.com/adsi

MSDN Search

http://search.microsoft.com/us/dev/default.asp

Modification Type:MajorLast Reviewed:2/12/2004
Keywords:kbDSWADSI2003Swept kbinfo KB321315 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.