Access AD LDS (ADAM) using ADSI (C++) and StartTLS

I need to connect to AD LDS instance using StartTLS and get the list of users from there. Unfortunately it has to be done in the legacy C++ app. I've installed test AD LDS on Windows 2008 R2 machine (running on Network Service), it looks like I've set up SSL on it correctly and can access it (using Simple Auth + StartTLS) from my client machine using Apache Directory Studio or Ldap Admin.

The code in C++ calls

hr = ADsOpenObject(
            szPath, strUserName, strPassword, m_authentication, 
            IID_IADs, (void**)&m_pObject);

(https://msdn.microsoft.com/en-us/library/aa772238(v=vs.85).aspx)

where szPath is LDAP://IP:10386/CN=Users,DC=Product,DC=local; strUserName is CN=admin,CN=Users,DC=Product,DC=local; m_authentication is an ADS_AUTHENTICATION_ENUM (https://msdn.microsoft.com/en-us/library/aa772247%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396)

I'm trying different combinations of ADS_SECURE_AUTHENTICATION, ADS_USE_ENCRYPTION and ADS_USE_SSL that should work, according to Microsoft examples.

So far ADS_USE_ENCRYPTION and ADS_USE_SSL gives the most promising error

00002028: LdapErr: DSID-0C0901FB, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
A more secure authentication method is required for this server.

ADS_SECURE_AUTHENTICATION + ADS_USE_SSL + ADS_USE_ENCRYPTION give

The user name or password is incorrect.

And server logs give 2 Failed Auth events: The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  CN=admin,CN=Users,DC=Product,DC=local
Source Workstation: <MachineName>
Error Code: 0xc0000064

And

An account failed to log on.
Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       CN=admin,CN=Users,DC=Product,DC=local
    Account Domain:     

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   <MachineName>
    Source Network Address: IP
    Source Port:        PortNum

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

like it's trying to Authenticate user vs Local Machine or vs Global AD, not my test AD LDS.

Is there any way to force it to Authenticate user vs my test AD LDS?