5.1.2.1 Using SASL

Active Directory supports the optional use of an LDAP message security layer that provides message integrity and/or confidentiality protection services that are negotiated as part of the SASL authentication. Support for such mechanisms and their implementation is dependent on the specific authentication protocol used (for example, Kerberos or Digest), and is documented in the SASL specification for each authentication protocol.

Once a SASL-negotiated security layer is in effect in the LDAP data stream, it remains in effect until either a subsequently negotiated security layer is installed or the underlying transport connection is closed. When in effect, the security layer processes protocol data into buffers of protected data as per [RFC2222].

While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer confidentiality/integrity protection mechanisms on such a connection. Active Directory can also be configured to require that SASL layer integrity protection services be used on a LDAP connection (the way in which the configuration can be done is outside the scope of the state model and is implementation-dependent).

On Windows 2000 Server operating system and later, Active Directory treats a request for SASL-layer integrity protection and SASL-layer confidentiality protection distinctly. Therefore, if a client does not request SASL-layer integrity protection or requests SASL-layer confidentiality protection without requesting integrity protection when sending a bind request to a DC which is configured to require SASL-layer integrity protection, the DC will reject such a bind and return the error strongAuthRequired / ERROR_DS_STRONG_AUTH_REQUIRED. On Windows Server 2008 operating system and later, Active Directory treats a request for SASL-layer confidentiality protection as also requesting SASL-layer integrity protection; therefore, a DC that is configured to require SASL-layer integrity protection will accept a bind from a client that requests SASL-layer confidentiality protection but does not explicitly request SASL-layer integrity protection. A DC configured to require SASL-layer integrity protection will accept a bind request from a client sent on a SSL/TLS-protected connection even if the client does not request SASL-layer integrity because it will accept the SSL/TLS-encryption in lieu of SASL-layer integrity.