Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Non-Microsoft LDAP Browser Fails to Connect to AD LDS or ADAM with LDAP Error 49


View products that this article applies to.

Symptoms

When you try to connect to an Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) instance with a non-Microsoft LDAP tool using an administrative account, access is denied with LDAP Error 49.

Logon is performed using either Distinguished Name (DN) syntax of the form CN=UserName,OU=Users,DC=Contoso,DC=com or UPN syntax (i.e. username@contoso.com).

Logon with the LDP tool (LDP.EXE) or ADSI Edit (AdsiEdit.msc) succeed without error using the same user account and password.

↑ Back to the top


Cause

This may happen by design under certain circumstances. The logon fails for a proxied user. AD LDS and ADAM have a capability called bind redirection. To use bind redirection, the AD LDS or ADAM server must be a member of an Active Directory domain. Domain logons are proxied through the AD LDS/ADAM member server's secure channel to Active Directory, where the user is authenticated.

The LDAP tool fails to authenticate the user as it cannot proxy through to Active Directory when connecting to an AD LDS or ADAM instance.

Unlike many non-Microsoft LDAP tools, LDP and ADSI Edit are bind redirection capable.

↑ Back to the top


Resolution

Administrative tools are a personal choice and Microsoft understands that business needs and preferences differ. When working with AD LDS or ADAM LDAP directories and non-Microsoft LDAP tools, leverage user accounts that are local to the AD LDS or ADAM server. For full administrative access to the AD LDS or ADAM instance, the local user must be a member of the Administrators role in the Configuration partition.

↑ Back to the top


More information

For more information about bind redirection in Windows Server 2008 R2 and Windows Server 2008, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc794922(WS.10).aspx

For more information about bind redirection in Windows Server 2003 R2 and ADAM SP1, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc758386(WS.10).aspx

↑ Back to the top


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

↑ Back to the top


Keywords: KB2002471

↑ Back to the top

Article Info
Article ID : 2002471
Revision : 7
Created on : 10/2/2009
Published on : 10/2/2009
Exists online : False
Views : 557