Binding with Encryption
If you want to use encryption to protect the data exchange over the network between your application and the directory server, you must bind using ADsOpenObject or IADsOpenDSObject::OpenDSObject. You have two options for starting a session that uses encryption.
- Kerberos
- Specify the ADS_USE_SEALING flag to encrypt the data using Kerberos. You can also add the ADS_USE_SIGNING flag to verify data integrity (that is, to check to ensure the data received is the same as the data sent). If you just specify ADS_USE_SEALING, you get ADS_USE_SIGNING as well. Both flags require Kerberos authentication, which works only under the following conditions:
- The client must be on a Windows 2000 system, or on a Windows 9x or Windows NT 4.0 system with the DS Client installed.
- The client computer must be a member of a Windows 2000 mixed mode or native mode domain.
- The client must be logged on to the Windows 2000 domain, or to a domain trusted by a Windows 2000 domain.
- You must use ADsOpenObject or IADsOpenDSObject::OpenDSObject with NULL credentials, that is, you cannot specify alternate credentials.
- SSL
- Specify the ADS_USE_SSL flag to encrypt the channel with SSL. If you specify both ADS_SECURE_AUTHENTICATION and ADS_USE_SSL, ADSI first opens an SSL channel and performs a simple bind using the specified user name and password or the current user context if both user name and password are set to NULL. If you specify only the ADS_USE_SSL flag, ADSI opens SSL port 636 and then does a simple binding over that SSL channel.
To use SSL-based encryption while communicating with Active Directory, Active Directory must have enabled Public Key Infrastructure (PKI). PKI can be enabled by setting up an enterprise certificate authority on one of the servers in Active Directory (including one of the Active Directory servers itself). Setting up an enterprise certificate authority causes an Active Directory server to get a server certificate that can then be used to do SSL-based encryption.
GetObject or ADsGetObject does not use encryption, so the LDAP requests used by ADSI and the data returned from the directory server go across the network as clear text. For debugging purposes, you may want to turn encryption off so you can use Network Monitor to see the LDAP requests and returns going between the client and the directory server.