cannot get ldap to bind to windows 2008 domain controller on windows 2003 domain/forest.

llf51
llf51 used Ask the Experts™
on
We are a single domain controller environment (testing purposes)

Recently did an upgrade from windows 2000 domain controller / forest to windows 2008.
My path was windows 2000 advance server sp4 - > windows 2003 enterprise sp2 -> windows 2008 enterprise 32bit sp2.

Forest and Domain are set to windows 2003 functionality.  We have a windows 2003 exchange server so kept everything at 2003

Problem I have is anonymous binding to ldap.  I know anonymous binding have been disabled by default when going from 2000  domain to 2003 domain.  I have provision what I think are the necessary steps to enable anonymous authentication.  

I am able to connect to ldap but cannot bind using anonymous.

I am able to bind to ldap if I use domain\administrator account

I have checked my DSheuristic under adsiedit and ensure that i have 0000002 as well as double checked the anonymous account in the security tab for the domain and ensure that it has read rights and list contents rights.

I tried using ldp.exe as well as the sourceforge tool ldapadmin.  

the dlp.exe tool gives me  this error:

-----------
res = ldap_simple_bind_s(ld, '', <unavailable>); // v.3
Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'.
-----------
Expanding base 'DC=mydomain,DC=com'...
ldap_get_next_page_s failed: 1

Server error: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772
Error 0x4DC The operation being requested was not performed because the user has not been authenticated.

Result <1>: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772
Getting 0 entries:
-----------


The ldapadmin tool gives me this error:

LDAP error!  Operations Error: 000004DC: LdapErr: DSID00C0906DD, comment: In order to perfrom this operation a successful bind must be completed on the connection., data 0, v1772

I need the anonymous bind  to test out some of our apps.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you added "ANONYMOUS LOGON" to the security of your AD structure??

http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
Scroll down to "Granting anonymous read access"

Author

Commented:
I have already checked my domain ( active directory users and computers -> domain) security tab and ensure that anonymous logon the following permissions allowed.   List Contents - Read all properties - read permissions
Commented:
I resolved the problem.  the fix was pretty stupid.  

Disable anonymous authentication using adsiedit.   Change the Directory Services DSHeuristics from 0000002 to 0000000.

Reboot

then reenable the anonymous authentication by setting it back to 0000002

Author

Commented:
easy solution

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial