3.1.1.3.4.2.4 LDAP_SERVER_WHO_AM_I_OID

The presence of this OID in the supportedExtension attribute indicates that the DC provides support for the "Who Am I?" LDAP extended operation described in [RFC4532]. Active Directory implements this operation in conformance with that RFC.

If the client is authenticated as a Windows security principal, the authzId returned in the response will contain the string "u:" followed by either (1) the NetBIOS domain name, followed by a backslash ("\"), followed by the sAMAccountName of the security principal, or (2) the SID of the security principal, in SDDL SID string format ([MS-DTYP] section 2.4.2.1). If the client is authenticated as an AD LDS security principal, the returned authzId will contain the string "dn:" followed by the DN of the security principal. If the client has not authenticated, the returned authzId will be the empty string.

Active Directory does not implement Proxied Authentication Control of [RFC4370], so section 4.1 of [RFC4532] is not applicable to Active Directory.