I need to connect to AD LDS instance using StartTLS and get the list of users from there. Unfortunately it has to be done in the legacy C++ app. I've installed test AD LDS on Windows 2008 R2 machine (running on Network Service), it looks like I've set up SSL on it correctly and can access it (using Simple Auth + StartTLS) from my client machine using Apache Directory Studio or Ldap Admin.
The code in C++ calls
hr = ADsOpenObject(
szPath, strUserName, strPassword, m_authentication,
IID_IADs, (void**)&m_pObject);
(https://msdn.microsoft.com/en-us/library/aa772238(v=vs.85).aspx)
where szPath is LDAP://IP:10386/CN=Users,DC=Product,DC=local; strUserName is CN=admin,CN=Users,DC=Product,DC=local; m_authentication is an ADS_AUTHENTICATION_ENUM (https://msdn.microsoft.com/en-us/library/aa772247%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396)
I'm trying different combinations of ADS_SECURE_AUTHENTICATION, ADS_USE_ENCRYPTION and ADS_USE_SSL that should work, according to Microsoft examples.
So far ADS_USE_ENCRYPTION and ADS_USE_SSL gives the most promising error
00002028: LdapErr: DSID-0C0901FB, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
A more secure authentication method is required for this server.
ADS_SECURE_AUTHENTICATION + ADS_USE_SSL + ADS_USE_ENCRYPTION give
The user name or password is incorrect.
And server logs give 2 Failed Auth events: The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: CN=admin,CN=Users,DC=Product,DC=local
Source Workstation: <MachineName>
Error Code: 0xc0000064
And
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: CN=admin,CN=Users,DC=Product,DC=local
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: <MachineName>
Source Network Address: IP
Source Port: PortNum
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
like it's trying to Authenticate user vs Local Machine or vs Global AD, not my test AD LDS.
Is there any way to force it to Authenticate user vs my test AD LDS?
User contributions licensed under CC BY-SA 3.0