SASL Authentication

The support of SASL bind in Active Directory is consistent with [RFC2251] section 4.2.1 and [RFC2829]. The following SASL mechanisms are supported by Active Directory. They are briefly described in "LDAP SASL Mechanisms", section

Active Directory supports the optional use of integrity verification or encryption that is negotiated as part of the SASL authentication. While Active Directory permits SASL binds to be performed on an SSL/TLS-protected connection, it does not permit the use of SASL-layer encryption/integrity verification mechanisms on such a connection. While this restriction is present in Active Directory on Windows 2000 Server operating system and later, versions prior to Windows Server 2008 operating system can fail to reject an LDAP bind that is requesting SASL-layer encryption/integrity verification mechanisms when that bind request is sent on a SSL/TLS-protected connection.

Once a SASL-layer encryption/integrity verification mechanism is in use on a connection, the client SHOULD not send an additional bind request on that connection (for example, to change the credentials with which the connection is authenticated), unless the LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID capability is present in the supportedCapabilities attribute of the rootDSE for that DC (see "LDAP Capabilities" in section If the client sends an additional bind to a DC on which that capability is not present, the DC returns the unwillingToPerform / ERROR_DS_INAPPROPRIATE_AUTH error.

Regarding [RFC2829] section 9: when using the EXTERNAL SASL mechanism, Active Directory supports the authzId field. However, it only supports the dnAuthzId form and not the uAuthzId form. Additionally, it does not permit an authorization identity to be established on the connection that is different from the authentication identity used on the connection. Violation of either of these rules causes the DC to return the invalidCredentials / <unrestricted> error.

Regarding [RFC2829] section 6.1: when using the DIGEST-MD5 mechanism:

  • On Windows 2000 operating system, Windows Server 2003 operating system, Windows Server 2003 R2 operating system, Windows Server 2008, and Windows Server 2008 R2 operating system, Active Directory does not support subsequent authentication, although the credentials field contains the string defined by "response-auth" in [RFC2831] section 2.1.3.

  • On Windows Server 2008 R2 operating system with Service Pack 1 (SP1) and Windows Server 2012 operating system and later, Active Directory also does not support subsequent authentication, but will respond to such requests with an initial authentication challenge (see [RFC2831] section 2.1.1).