AUO Fails to Bind to an LDAP Server With Error 80020009 When Using NTLM

• Microsoft Site Server version 3.0

SYMPTOMS

AUO (Active User Object) may fail to bind to a Lightweight Directory Access Protocol (LDAP) server, generating error 80020009, when using Microsoft Windows NT LAN Manager security (NTLM).

CAUSE

The default behavior of AUO is to only bind using clear text authentication (basic authentication).

WORKAROUND

Use Secure Sockets Layer (SSL).

RESOLUTION

To resolve this problem, obtain the latest service pack for Site Server 3.0. For additional information, please see the following article in the Microsoft Knowledge Base:

Q219292 How to Obtain the Latest Site Server 3.0 Service Pack

STATUS

This problem was first corrected in Site Server 3.0 Service Pack 3.

MORE INFORMATION

Using clear text authentication is a security concern when AUO is on a server other than the LDAP service. With the fix, NTLM is tried first, then cleartext.

Also, there is a new registry parameter that forces NTLM to be used exclusively.

1. Start Registry Editor (Regedt32.exe).



2. Locate the following key in the registry:

   
      HKLM\Software\Microsoft\Site Server\3.0\P&M\AUO\<serverinstance>\  




3. On the Edit menu, click Add Value, and then add the following registry value:




   Value Name: AUOSecureBind.
   Data Type:  REG_DWORD
   Value:      Enter any non-zero value to only use NTLM. 

4. Quit Registry Editor.

Microsoft Active Directory Service Interfaces (ADSI) version 2.5 is required for this fix to work.

The privileged account that the AUO uses for authentication with the LDAP needs to be a domain account (by default AUO creates a local account on the LDAP computer, but that needs to be changed to some domain account that has permissions on the LDAP server).

Additional query words:

Keywords : SS3SP3Fix
Version : winnt:3.0
Platform : winnt
Issue type : kbbug