Directory Services

ADS_AUTHENTICATION_ENUM

The ADS_AUTHENTICATION_ENUM enumeration specifies authentication options used in ADSI for binding to directory service objects. When calling IADsOpenDSObject or ADsOpenObject to bind to an ADSI object, provide at least one of the options. In general, different providers will have different implementations. The options documented here apply to the providers supplied by Microsoft included with the ADSI SDK. For more information, see ADSI System Providers.

typedef enum 
{
  ADS_SECURE_AUTHENTICATION = 0x1, 
  ADS_USE_ENCRYPTION = 0x2, 
  ADS_USE_SSL = 0x2, 
  ADS_READONLY_SERVER = 0x4, 
  ADS_PROMPT_CREDENTIALS = 0x8, 
  ADS_NO_AUTHENTICATION = 0x10, 
  ADS_FAST_BIND = 0x20, 
  ADS_USE_SIGNING = 0x40, 
  ADS_USE_SEALING = 0x80, 
  ADS_USE_DELEGATION = 0x100, 
  ADS_SERVER_BIND = 0x200
} ADS_AUTHENTICATION_ENUM;

Values

ADS_SECURE_AUTHENTICATION
Requests secure authentication. When this flag is set, the WinNT provider uses NT LAN Manager (NTLM) to authenticate the client. Active Directory will use Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are NULL, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread represents.
ADS_USE_ENCRYPTION
Requires ADSI to use encryption for data exchange over the network.
ADS_USE_SSL
The channel is encrypted using Secure Sockets Layer (SSL). Active Directory requires that the Certificate Server be installed to support SSL.
ADS_READONLY_SERVER
A writeable domain controller is not required. For a Windows NT 4.0 network, ADSI will attempt to connect to either a primary domain controller (PDC) or a backup domain controller (BDC) because BDCs are read-only. On a Windows Server 2003 or Windows 2000 network, all servers are writable, so this flag has no affect.
ADS_PROMPT_CREDENTIALS
This flag is deprecated.
ADS_NO_AUTHENTICATION
Request no authentication. The providers may attempt to bind the client, as an anonymous user, to the target object. The WinNT provider does not support this flag. Active Directory establishes a connection between the client and the targeted object, but will not perform authentication. Setting this flag amounts to requesting an anonymous binding, which indicates all users as the security context.
ADS_FAST_BIND
When this flag is set, ADSI will not attempt to query the objectClass property and thus will only expose the base interfaces supported by all ADSI objects instead of the full object support. A user can use this option to increase the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI will not verify that any of the requested objects actually exist on the server. For more information, see Fast Binding Options for Batch Write/Modify Operations.
ADS_USE_SIGNING
Verifies data integrity. The ADS_SECURE_AUTHENTICATION flag must also be set also to use signing.
ADS_USE_SEALING
Encrypts data using Kerberos. The ADS_SECURE_AUTHENTICATION flag must also be set to use sealing.
ADS_USE_DELEGATION
Enables ADSI to delegate the user security context, which is necessary for moving objects across domains.
ADS_SERVER_BIND
Windows 2000 SP1 and later:  Specify this flag when using the LDAP provider if your ADsPath includes a server name. Do not use this flag for paths that include a domain name or for a serverless bind. If you specify a server name without also specifying this flag, unnecessary network traffic can result.

Remarks

The ADS_SECURE_AUTHENTICATION flag can be used in combination with other flags such as ADS_READONLY_SERVER, ADS_PROMPT_CREDENTIALS, ADS_FAST_BIND, and so on.

Serverless binding refers to a process in which a client attempts to bind to an Active Directory object without explicitly specifying an Active Directory server in the binding string. This is possible because the LDAP provider relies on the locator services of Windows® 2000 to find the best domain controller (DC) for the client. However, the client must have an account on the Active Directory domain controller in order to take advantage of the serverless binding feature, and the DC used by a serverless bind will always be located in the default domain; that is, the domain associated with the current security context of the thread that performs the binding.

Note  None of these options are supported by the NDS or NWCOMPAT system providers.

Because VBScript cannot read data from a type library, VBScript applications do not understand the symbolic constants as defined above. Use the numerical constants instead to set the appropriate flags in your VBScript applications. To use the symbolic constants as a good programming practice, make explicit declarations of such constants, as done here, in your VBScript application.

Example Code [Visual Basic]

The following code example shows how to use IADsOpenDSObject to open an object on fabrikam with secure authentication for the WinNT provider.

[Visual Basic]
Dim dso As IADsOpenDSObject
Dim domain As IADsDomain
 
Set dso = GetObject("WinNT:")
Set domain = dso.OpenDSObject("WinNT://Fabrikam", vbNullString, vbNullString, ADS_SECURE_AUTHENTICATION)

Example Code [C++]

The following code example shows how the ADS_SECURE_AUTHENTICATION flag is used with ADsOpenObject for validating the user bound as "JeffSmith". The user name can be of the UPN format: "JeffSmith@Fabrikam.com", as well as the distinguished name format: "CN=JeffSmith,DC=Fabrikam,DC=COM".

[C++]
IADs *pObject = NULL;
HRESULT hr;
hr = ADsOpenObject(_bstr_t("LDAP://CN=JeffSmith, DC=fabrikam, DC=com"),
				 NULL,
				 NULL,
				 ADS_SECURE_AUTHENTICATION, 
				 IID_IADs,
				 (void**) &pObject);
if (hr != S_OK)
	{} // Handle open object errors here.
else
	{} // Object was retrieved, continue processing here.

Requirements

Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Redistributable: Requires Active Directory Client Extension on Windows NT 4.0 SP6a and Windows 95/98/Me.
Header: Declared in Iads.h.

See Also

ADSI Enumerations, ADSI System Providers, ADsOpenObject, IADsOpenDSObject, IADsAccessControlEntry