Allowing anonymous bind

Edit online

In order for Verify Identity Access to be configured with Active Directory Lightweight Directory Service (AD LDS), AD LDS must be configured to allow anonymous bind.

About this task

By default, AD LDS does not allow anonymous bind. Verify Identity Access configuration, however, uses anonymous bind to check on the validity of the configured LDAP host name, port, and SSL parameters.

If you want to disable anonymous bind during normal operation, you can reset the option on the AD LDS server after configuration is complete.

Procedure

  1. Start the ADSI Edit program Adsiedit.msc.
  2. On the Action menu, click Connect To.
  3. In the Connection name field, you can type a label under which this connection appears in the console tree of AD LDS ADSI Edit. For this connection, type: Configuration.
  4. Under Connection Point, select well known Naming Context and choose Configuration from the list.
  5. Under Computer, enter the server name and port for the AD LDS instance in the Select or type a domain or server section. If the AD LDS instance is on the local system, you can use localhost as the server name.
  6. Click OK. The term, Configuration, must now appear in the console tree.
  7. Expand the Configuration subtree by double-clicking Configuration.
  8. Double-click CN=Configuration,CN=GUID, where GUID was generated when the configuration of the AD LDS instance was performed.
  9. Double-click the CN=Services folder to expand it, and then double-click CN=Windows NT.
  10. Highlight and right-click CN=Directory Service and click Properties.
  11. Click dsHeuristics.
  12. Click Edit.
  13. Edit the value. Modify the seventh character (counting from the left) to 2. The value must be similar to 0000002001001 in the String Attribute Editor.
  14. Click OK.
  15. Click OK. Anonymous bind is now allowed.

What to do next

If you are setting up SSL communication, see Configuring Active Directory Lightweight Directory Service (AD LDS) to use SSL.