5.1.1.1 Supported Authentication Methods

[RFC2251] section 4.2 defines an AuthenticationChoice structure for a BindRequest that contains two alternatives: simple and SASL. [RFC1777] section 4.1 defines an authentication structure for a BindRequest that contains three alternatives: simple, krbv42LDAP, and krbv42DSA. Active Directory supports only simple and SASL authentication mechanisms. The former is for LDAP simple binds, while the latter is for LDAP SASL binds (as documented in [RFC2829]). In addition, Active Directory supports a third mechanism named "Sicily" that is primarily intended for compatibility with legacy systems. Sicily support adds three choices to the AuthenticationChoice structure, resulting in the following.

 AuthenticationChoice ::= CHOICE {
     simple                 [0]    OCTET STRING,
     sasl                   [3]    SaslCredentials
     sicilyPackageDiscovery [9]    OCTET STRING
     sicilyNegotiate        [10]   OCTET STRING
     sicilyResponse         [11]   OCTET STRING  }

The relationship of the three authentication mechanisms, and the authentication protocols supported by each, is summarized in the following tables.

Authentication Mechanism: Simple

For the simple authentication mechanism, authentication is described entirely by the mechanism; no additional authentication protocols are used.

Authentication Mechanism: SASL

Authentication protocols

Comments

GSS-SPNEGO

GSS-SPNEGO, in turn, uses Kerberos or NTLM as the underlying authentication protocol.

GSSAPI

GSSAPI, in turn, always uses Kerberos as the underlying authentication protocol.

EXTERNAL

-

DIGEST-MD5

-

Authentication Mechanism: Sicily

Authentication protocols

Comments

NTLM

-

Each of the three authentication mechanisms supported by Active Directory is discussed in more detail in the following sections.