When you try to connect to an Active Directory Lightweight Directory Services (AD LDS) or Active Directory Application Mode (ADAM) instance with a non-Microsoft LDAP tool using an administrative account, access is denied with LDAP Error 49.
Logon is performed using either Distinguished Name (DN) syntax of the form CN=UserName,OU=Users,DC=Contoso,DC=com or UPN syntax (i.e. firstname.lastname@example.org).
Logon with the LDP tool (LDP.EXE) or ADSI Edit (AdsiEdit.msc) succeed without error using the same user account and password.
This may happen by design under certain circumstances. The logon fails for a proxied user. AD LDS and ADAM have a capability called bind redirection. To use bind redirection, the AD LDS or ADAM server must be a member of an Active Directory domain. Domain logons are proxied through the AD LDS/ADAM member server's secure channel to Active Directory, where the user is authenticated.
The LDAP tool fails to authenticate the user as it cannot proxy through to Active Directory when connecting to an AD LDS or ADAM instance.
Unlike many non-Microsoft LDAP tools, LDP and ADSI Edit are bind redirection capable.
Administrative tools are a personal choice and Microsoft understands that business needs and preferences differ. When working with AD LDS or ADAM LDAP directories and non-Microsoft LDAP tools, leverage user accounts that are local to the AD LDS or ADAM server. For full administrative access to the AD LDS or ADAM instance, the local user must be a member of the Administrators role in the Configuration partition.
For more information about bind redirection in Windows Server 2008 R2 and Windows Server 2008, visit the following Microsoft Web site: