none
AD LDS SASL Bind - Does it work with AD LDS Security Principals Authentication?

    Question

  • Hi

    Hoping you can help. We have AD LDS installed, instance set up using LDAP 389, LDAPS 636 - AD LDS Security Principals authentication is used so Users can only bind with User accounts within the LDS Directory.

    Tested on the AD LDS Server using LDP.EXE, also tested on AD DS Server (binding against the LDS Server) - both produce the same, following results:

    Tested simple bind (DN) over LDAPS 636 - works fine, no issues.

    SASL Binds - not working (Connect, select bind, select advanced 'SASL' and left credentials blank. Error received - ldap_bind: failed), as you do not input any credentials/DN for SASL binds I'm guessing this only works when using Windows Principals and not AD LDS account?

    My question is; can SASL work with AD LDS Security Principals? Or can you only bind using SASL with Windows Principals? If so, is our only binding option simple binding (non secure/secure - 389/636)?

    Thanks for your help

    Tuesday, April 25, 2017 6:13 PM

All replies

  • Hi,
    Referring to the following article, SASL could support AD LDS principal, please see:
    Supported Types of Security Principals
    https://msdn.microsoft.com/en-us/library/cc223505.aspx
    Here is also an article regarding more details, you could take a look at it, too.
    https://blog.msresource.net/2013/04/25/how-can-i-logon-to-my-adam-or-ad-lds-management-agent-ma/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 28, 2017 2:27 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 1, 2017 4:46 AM
    Moderator
  • Hey technom

    My question is; can SASL work with AD LDS Security Principals?

    The only supported SASL mechanism (when using AD LDS security principals) is DIGEST-MD5; and there are some constraints for use. Have a look at the ADAMDisableSSL setting.

    Or can you only bind using SASL with Windows Principals?

    Additional SASL mechanisms are supported when using Windows security principals, e.g. Kerberos and NTLM.

    If so, is our only binding option simple binding (non secure/secure - 389/636)?

    See above, and note that it's generally best practice to reject SASL binds that do not request signing.

    Hope this helps,


    Tom Houston, UK Identity Management Practice

    Monday, May 1, 2017 8:46 AM