Non-Microsoft LDAP Browser Fails to Connect to AD LDS or ADAM with LDAP Error 49

Article ID: 2002471 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When you try to connect to an Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) instance with a non-Microsoft LDAP tool using an administrative account, access is denied with LDAP Error 49.

Logon is performed using either Distinguished Name (DN) syntax of the form CN=UserName,OU=Users,DC=Contoso,DC=com or UPN syntax (i.e. username@contoso.com).

Logon with the LDP tool (LDP.EXE) or ADSI Edit (AdsiEdit.msc) succeed without error using the same user account and password.

Cause

This may happen by design under certain circumstances. The logon fails for a proxied user. AD LDS and ADAM have a capability called bind redirection. To use bind redirection, the AD LDS or ADAM server must be a member of an Active Directory domain. Domain logons are proxied through the AD LDS/ADAM member server's secure channel to Active Directory, where the user is authenticated.

The LDAP tool fails to authenticate the user as it cannot proxy through to Active Directory when connecting to an AD LDS or ADAM instance.

Unlike many non-Microsoft LDAP tools, LDP and ADSI Edit are bind redirection capable.

Resolution

Administrative tools are a personal choice and Microsoft understands that business needs and preferences differ. When working with AD LDS or ADAM LDAP directories and non-Microsoft LDAP tools, leverage user accounts that are local to the AD LDS or ADAM server. For full administrative access to the AD LDS or ADAM instance, the local user must be a member of the Administrators role in the Configuration partition.

More Information

For more information about bind redirection in Windows Server 2008 R2 and Windows Server 2008, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc794922(WS.10).aspx

For more information about bind redirection in Windows Server 2003 R2 and ADAM SP1, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc758386(WS.10).aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2002471 - Last Review: October 2, 2009 - Revision: 7.0
APPLIES TO
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition KN
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard Edition KN
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Standard without Hyper-V
  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
Keywords: 
KB2002471

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com