Platform SDK: Active Directory, ADSI, and Directory Services

ADS_AUTHENTICATION_ENUM

The ADS_AUTHENTICATION enumeration specifies authentication options used in ADSI for binding to directory service objects. When calling IADsOpenDSObject or ADsOpenObject to bind to an ADSI object, you must supply at least one of the options. In general, different providers will have different implementations. The options documented here apply to the providers supplied by Microsoft® that are shipped with the ADSI SDK. For more information, see ADSI System Providers.

typedef enum { 
  ADS_SECURE_AUTHENTICATION  = 0x1,
  ADS_USE_ENCRYPTION         = 0x2,
  ADS_USE_SSL                = 0x2,
  ADS_READONLY_SERVER        = 0x4,
  ADS_PROMPT_CREDENTIALS     = 0x8,
  ADS_NO_AUTHENTICATION      = 0x10,
  ADS_FAST_BIND              = 0x20,
  ADS_USE_SIGNING            = 0x40,
  ADS_USE_SEALING            = 0x80
  } ADS_AUTHENTICATION_ENUM;

Elements

ADS_SECURE_AUTHENTICATION
Requests secure authentication. When this flag is set, the WinNT provider uses NT LAN Manager (NTLM) to authenticate the client. Active Directory will use Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are NULL, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating.
ADS_USE_ENCRYPTION
Forces ADSI to use encryption for data exchange over the network.
ADS_USE_SSL
Encrypts the channel with SSL. Data will be encrypted using SSL. Active Directory requires that the Certificate Server be installed to support SSL encryption.
ADS_READONLY_SERVER
For a WinNT provider, ADSI tries to connect to a primary domain controller (PDC) or a backup domain controller (BDC). For Active Directory, this flag indicates that a writeable server is not required for a serverless binding.
ADS_PROMPT_CREDENTIALS
This flag is deprecated.
ADS_NO_AUTHENTICATION
Request no authentication. The providers may attempt to bind client, as an anonymous user, to the targeted object. The WinNT provider does not support this flag. Active Directory establishes a connection between the client and the targeted object, but will not perform any authentication. Setting this flag amounts to requesting an anonymous binding, which means "Everyone" as the security context.
ADS_FAST_BIND
When this flag is set, ADSI will not attempt to query the objectClass property and thus will only expose the base interfaces supported by all ADSI objects instead of the full object support. A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI will not verify if any of the request objects actually exist on the server. For more information, see "Fast Binding Options for Batch Write/Modify Operations" in Active Directory Programmer's Guide.
ADS_USE_SIGNING
Verifies data integrity to ensure the data received is the same as the data sent. The ADS_SECURE_AUTHENTICATION flag must be set also in order to use the signing.
ADS_USE_SEALING
Encrypts data using Kerberos. The ADS_SECURE_AUTHENTICATION flag must be set also in order to use the sealing.

Remarks

The ADS_SECURE_AUTHENTICATION flag can be used in combination with other flags such as ADS_READONLY_SERVER, ADS_PROMPT_CREDENTIALS, ADS_FAST_BIND, etc.

Serverless binding refers to a process in which a client attempts to bind to an Active Directory object without explicitly specifying an Active Directory server in the binding string, for example, "LDAP://CN=jsmith,DC=Microsoft,DC=Com". This is possible because the LDAP provider relies on the locator services of Windows® 2000 to find the best domain controller (DC) for the client. However, the client must have an account on the Active Directory domain controller in order to take advantage of the serverless binding feature.

Note  Because VBScript cannot read information from a type library, VBScript applications do not understand the symbolic constants as defined above. You should use the numerical constants instead to set the appropriate flags in your VBScript applications. If you want to use the symbolic constants as a good programming practice, you should make explicit declarations of such constants, as done here, in your VBScript applications.

Example Code [Visual Basic]

The following Visual Basic® code snippet illustrates how to use IADsOpenDSObject to open the "Administrator" user object on "Microsoft" with secure authentication for the WinNT provider.

Dim dso As IADsOpenDSObject
Dim domain As IADsDomain
 
Set dso = GetObject("WinNT:")
Set domain = dso.OpenDSObject("WinNT://Microsoft", "Administrator", "secret", ADS_SECURE_AUTHENTICATION)

Example Code [C++]

The following C/C++ code snippet illustrates how the ADS_SECURE_AUTHENTICATION flag is used with ADsOpenObject for validating the user bound as "JSmith".

IADs    *pObject;
HRESULT hr;
hr = ADsOpenObject(L"LDAP://CN=Jsmith, DC=Microsoft, DC=com",
                   L"Microsoft\\JSmith", L"password",
                   ADS_SECURE_AUTHENTICATION, IID_IADs,
                   (void**) &pObject);

The user name can be of the UPN format: "JSmith@Microsoft.com", as well as the distinguished name format: "CN=JSmith,DC=Microsoft,DC=COM".

Requirements

  Windows NT/2000: Requires Windows 2000 (or Windows NT 4.0 with DSClient).
  Windows 95/98: Requires Windows 95 or later (with DSClient).
  Header: Declared in Iads.h.

See Also

ADSI Enumerations, ADSI System Providers, ADsOpenObject, IADsOpenDSObject, IADsAccessControlEntry