Directory Services


The ADS_AUTHENTICATION_ENUM enumeration specifies authentication options used in ADSI for binding to directory service objects. When calling IADsOpenDSObject or ADsOpenObject to bind to an ADSI object, provide at least one of the options. In general, different providers will have different implementations. The options documented here apply to the providers supplied by Microsoft included with the ADSI SDK. For more information, see ADSI System Providers.

typedef enum 
  ADS_USE_SSL = 0x2, 
  ADS_FAST_BIND = 0x20, 
  ADS_USE_SIGNING = 0x40, 
  ADS_USE_SEALING = 0x80, 


Requests secure authentication. When this flag is set, the WinNT provider uses NT LAN Manager (NTLM) to authenticate the client. Active Directory will use Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are NULL, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread represents.
Requires ADSI to use encryption for data exchange over the network.
The channel is encrypted using Secure Sockets Layer (SSL). Active Directory requires that the Certificate Server be installed to support SSL.
A writeable domain controller is not required. For a Windows NT 4.0 network, ADSI will attempt to connect to either a primary domain controller (PDC) or a backup domain controller (BDC) because BDCs are read-only. On a Windows Server 2003 or Windows 2000 network, all servers are writable, so this flag has no affect.
This flag is deprecated.
Request no authentication. The providers may attempt to bind the client, as an anonymous user, to the target object. The WinNT provider does not support this flag. Active Directory establishes a connection between the client and the targeted object, but will not perform authentication. Setting this flag amounts to requesting an anonymous binding, which indicates all users as the security context.
When this flag is set, ADSI will not attempt to query the objectClass property and thus will only expose the base interfaces supported by all ADSI objects instead of the full object support. A user can use this option to increase the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI will not verify that any of the requested objects actually exist on the server. For more information, see Fast Binding Options for Batch Write/Modify Operations.
Verifies data integrity. The ADS_SECURE_AUTHENTICATION flag must also be set also to use signing.
Encrypts data using Kerberos. The ADS_SECURE_AUTHENTICATION flag must also be set to use sealing.
Enables ADSI to delegate the user security context, which is necessary for moving objects across domains.
Windows 2000 SP1 and later:  Specify this flag when using the LDAP provider if your ADsPath includes a server name. Do not use this flag for paths that include a domain name or for a serverless bind. If you specify a server name without also specifying this flag, unnecessary network traffic can result.


The ADS_SECURE_AUTHENTICATION flag can be used in combination with other flags such as ADS_READONLY_SERVER, ADS_PROMPT_CREDENTIALS, ADS_FAST_BIND, and so on.

Serverless binding refers to a process in which a client attempts to bind to an Active Directory object without explicitly specifying an Active Directory server in the binding string. This is possible because the LDAP provider relies on the locator services of Windows® 2000 to find the best domain controller (DC) for the client. However, the client must have an account on the Active Directory domain controller in order to take advantage of the serverless binding feature, and the DC used by a serverless bind will always be located in the default domain; that is, the domain associated with the current security context of the thread that performs the binding.

Note  None of these options are supported by the NDS or NWCOMPAT system providers.

Because VBScript cannot read data from a type library, VBScript applications do not understand the symbolic constants as defined above. Use the numerical constants instead to set the appropriate flags in your VBScript applications. To use the symbolic constants as a good programming practice, make explicit declarations of such constants, as done here, in your VBScript application.

Example Code [Visual Basic]

The following code example shows how to use IADsOpenDSObject to open an object on fabrikam with secure authentication for the WinNT provider.

[Visual Basic]
Dim dso As IADsOpenDSObject
Dim domain As IADsDomain
Set dso = GetObject("WinNT:")
Set domain = dso.OpenDSObject("WinNT://Fabrikam", vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION)

Example Code [C++]

The following code example shows how the ADS_SECURE_AUTHENTICATION flag is used with ADsOpenObject for validating the user bound as "JeffSmith". The user name can be of the UPN format: "", as well as the distinguished name format: "CN=JeffSmith,DC=Fabrikam,DC=COM".

IADs *pObject = NULL;
hr = ADsOpenObject(_bstr_t("LDAP://CN=JeffSmith, DC=fabrikam, DC=com"),
				 (void**) &pObject);
if (hr != S_OK)
	{} // Handle open object errors here.
	{} // Object was retrieved, continue processing here.


Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Redistributable: Requires Active Directory Client Extension on Windows NT 4.0 SP6a and Windows 95/98/Me.
Header: Declared in Iads.h.

See Also

ADSI Enumerations, ADSI System Providers, ADsOpenObject, IADsOpenDSObject, IADsAccessControlEntry