link Windows Active Directory LDAP Simple Bind Fails "NT AUTHORITY\ANONYMOUS LOGON"← Back

The registry key you need to check is HKLM\System\CurrentControlSet\Control\SecurityProviders\Security Providers and confirm it contains pwdssp.dll.

Default Windows 2003 key value:

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

Default Windows 2008 or 2012 key value:

credssp.dll, pwdssp.dll

I tested the following examples by running LDP.EXE from a Windows 2008 or 2012 server against the target AD server. You will see slightly different values in some examples according to your AD domain.

**WITHOUT** pwdssp.dll listed in the key on Windows 2008 or 2012:

res = ldap_simple_bind_s(ld, 'administrator@domain.local', ); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.

**WITH** pwdssp.dll listed in registry key on Windows 2008 or 2012:

res = ldap_simple_bind_s(ld, 'administrator@domain.local', ); // v.3
Authenticated as: 'DOMAIN\Administrator'.

**WITHOUT** pwdssp.dll listed in the registry key on Windows 2003:

res = ldap_simple_bind_s(ld, 'administrator@domain.local', ); // v.3
Authenticated as: 'administrator@domain.local'.

Performing a query after the invalid bind returns something like:

***Searching...
ldap_search_s(ld, "DC=domain,DC=local", 2, "(&(objectclass=user)(samAccountName=Administrator))", attrList,  0, &msg)
Error: Search: Operations Error. <1>
Server error: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
Error 0x0 The operation completed successfully.
Result <1>: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
Getting 0 entries:

**WITH** pwdssp.dll listed in the registry key on Windows 2003:

res = ldap_simple_bind_s(ld, 'administrator@domain.local', ); // v.3
Authenticated as: 'administrator@domain.local'.

Performing a query with the valid bind returns:

***Searching...
ldap_search_s(ld, "DC=domain,DC=local", 2, "(&(objectclass=user)(samAccountName=Administrator))", attrList,  0, &msg)
Getting 1 entries:
Dn: CN=Administrator,CN=Users,DC=domain,DC=local
canonicalName: domain.local/Users/Administrator; 
description: Built-in account for administering the computer/domain; 
name: Administrator; 
objectClass (4): top; person; organizationalPerson; user;

Comments

There are no comments


Post a comment