The ADS_AUTHENTICATION_ENUM enumeration specifies authentication options used in ADSI for binding to directory objects.


    ADS_SECURE_AUTHENTICATION   = 1,           //0x1
    ADS_USE_ENCRYPTION          = 2,           //0x2
    ADS_USE_SSL                 = 2,           //0x2
    ADS_READONLY_SERVER         = 4,           //0x4
    ADS_PROMPT_CREDENTIALS      = 8,           //0x8
    ADS_NO_AUTHENTICATION       = 16,          //0x10
    ADS_FAST_BIND               = 32,          //0x20
    ADS_USE_SIGNING             = 64,          //0x40
    ADS_USE_SEALING             = 128,         //0x80
    ADS_USE_DELEGATION          = 256,         //0x100
    ADS_SERVER_BIND             = 512,         //0x200
    ADS_NO_REFERRAL_CHASING     = 1024,        //0x400
    ADS_AUTH_RESERVED           = 2147483648,  //0x80000000


  • Flag

  • Description


  • Requests secure authentication. Active Directory will use Kerberos, and possibly NT LAN Manager, to authenticate the client. When the user name and password are null, ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the script is running or of the client user account that the calling thread represents.


  • Requires ADSI to use encryption for data exchange over the network.


  • The channel is encrypted using Secure Sockets Layer (SSL). Active Directory requires that the Certificate Server is installed to support SSL.

    If this flag is not combined with the ADS_SECURE_AUTHENTICATION flag and the supplied credentials are null, the bind will be performed anonymously. If this flag is combined with the ADS_SECURE_AUTHENTICATION flag and the supplied credentials are null, then the credentials of the calling thread are used.


  • A writable domain controller is not required. If your script only reads or queries data from Active Directory, you should use this flag to open the sessions. This allows the application to take advantage of Read-Only DCs (RODCs), which are present in Windows Server 2008 and later.

    On a Windows Server 2003 or Windows 2000 network, all servers are writable, so this flag has no affect.

    In Windows Server 2008, ADSI attempts to connect to either Read-Only DCs (RODCs) or writable DCs. This allows the use of an RODC for the access and enables the application to run in a branch or perimeter network (also known as DMZ, demilitarized zone, and screened subnet), without the need for direct connectivity with a writable DC.


  • This flag is not supported. ADS_NO_AUTHENTICATION Request no authentication. The providers may attempt to bind the client, as an anonymous user, to the target object. Active Directory establishes a connection between the client and the targeted object, but will not perform authentication. Setting this flag amounts to requesting an anonymous binding, which indicates all users as the security context.


  • When this flag is set, ADSI will not attempt to query the objectClass property and thus will only expose the base interfaces supported by all ADSI objects instead of the full object support. You can use this option to increase the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI will not verify that any of the requested objects actually exist on the server.


  • Verifies data integrity. The ADS_SECURE_AUTHENTICATION flag must also be set to use signing.


  • Encrypts data using Kerberos. The ADS_SECURE_AUTHENTICATION flag must also be set to use sealing.


  • Enables ADSI to delegate the user security context, which is necessary for moving objects across domains.


  • This flag is not supported.


  • Specify this flag to turn referral chasing off for the life of the connection. However, even when this flag is specified, ADSI still allows the setting of referral chasing behavior for container enumeration when set using ADS_OPTION_REFERRALS in ADS_OPTION_ENUM (as documented in container enumeration with referral chasing in IADsObjectOptions::SetOption.


  • Reserved


The ADS_SECURE_AUTHENTICATION flag can be used in combination with other flags such as ADS_READONLY_SERVER, ADS_PROMPT_CREDENTIALS, ADS_FAST_BIND, and so on.


Minimum required version: 2009.1

See also