Ldap connection fails if pwdssp.dll is removed from registry

Girish Hebballi 1 Reputation point
2020-10-14T23:47:14.297+00:00

When I try to do a LDAP search I get the below error, Though the connection to ldap works fine but LDAP Search fails.

LDAP: error code 1 - 000004DC: LdapErr: DSID-00000000, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

This happens only when pwdssp.dll is removed from SYSTEM\CurrentControlSet\Control\SecurityProviders and only credssp.dll is retained.

Really appreciate if someone can answer what is going on?

Does Active Directory (LDAP)Server wants the Ldap Client to use SASL bind?

Or I can use simplebind but may need to set some other parameters ?

Thanks

Girish

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,402 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-10-15T02:03:08.557+00:00

    Hi,
    Based on my research , the pwdssp.dll is necessary for the simple ldap research, just add the registry back .
    Similar cases for your reference:
    https://social.technet.microsoft.com/Forums/lync/en-US/40755056-45c8-480f-9337-fbe2f18c8c15/ldap-simple-bind-failing?forum=winserverDS

    https://hi.service-now.com/kb_view.do?sysparm_article=KB0754219(Please note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.)

    Best Regards,


  2. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-10-16T06:36:48.077+00:00

    Hi,
    Based on my research , if the pwdssp.dll is removed ,all simple binds were being treated as "NT Authority\Anonymous Logon" binds.
    Anonymous LDAP operations to Active Directory are disabled by default. Not sure if you want to change it.
    Following article for your reference:
    https://support.microsoft.com/en-us/help/326690/anonymous-ldap-operations-to-active-directory-are-disabled-on-windows

    Or you can considered SASL bind (https://ldap.com/the-ldap-bind-operation/)
    Please note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.

    Best Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.