2.2.2 LDAP Negotiated Authentication

When communicating with AD DS or AD LDS directory servers, an LDAP client implementing extension bundle A will request the GSS-SPNEGO SASL security mechanism in an LDAP Bind request, with requests for signing and encryption of subsequent communications on this connection. This mechanism is documented in [RFC4178]. AD DS supports Kerberos (see [MS-KILE] and RFC 1964 [RFC1964]) and NTLM (see [MS-NLMP]) when using GSS-SPNEGO.