Can you check the setting on the Windows LDAP client for the security option
Network security: LDAP client signing requirements
to see if it is set to none ? As I understand things, after Windows Server
2003 changed to disallowing anonymous binds except to RootDSE the
LDAP calls (via wldap32.dll) were enhanced to always use signing
(unless within SSL/TLS). This may be what you are seeing, the result
that negotiation has elected NTLM for the signing.
Seach on "Network security: ldap" in
http://support.microsoft.com/kb/823659
You may find the following quote from July 05 "Windows Server 2003 Security"
paper from MS (EESecurity.doc) of interest. It is from a raw list of
enhancements in
http://g.msn.com/9SE/1?http://downlo...=1&CS=AWP&SR=1
<quote>
Modified LDAP Signing.
Affects the wldap32.dll LDAP bind initialization sequence so that signing is
requested even if the client doesn't ask for it. This doesn't kick in if
TLS\SSL is used.
</quote>
"Al Norman" <(E-Mail Removed)> wrote in message
news:Om%(E-Mail Removed)...
> We are using an LDAP server (external) to query for certficates and CRLs.
> We access this store using CertOpenStore(). In the past, this has worked
> with no problems. Under Windows Server 2003 SP1 it no longer works. I ran
> NetMon, and found that the CertOpenStore is now attempting to issue an
> ldap_bind to the LDAP server, using NTLM. Since this external server knows
> nothing about us, it won't work. Using ldp.exe or the Softerra LDAP
> browser, we CAN successfully browse the external LDAP store, since they
> issue an ldap_bind with no authorization.
>
> Is there a way in W2K3 to turn off this 'feature'? I have been
> investigating group policy settings, but have not found anything (ldap
> related) that appears to have any effect on this problem.
>
> Help ... we're trying to build a production server for deployment, and
> need to get this issue resolve ASAP.
>
> thanks in advance
>
> Al Norman
> xwave
>
Similar Threads
Linear Mode
