Writing the Assigned Policy Data

The administrative plug-in MUST connect to the domain controller as specified in sections and To write the new IPsec policy, the administrative plug-in MUST perform the LDAP operation specified in [MS-ADTS] section, "Performing an LDAP Operation on an ADConnection". The TaskInputADConnection value MUST be the ADCONNECTION_HANDLE object ([MS-DTYP] section 2.2.2, "ADCONNECTION_HANDLE") stored in ADConnectionHandle. The TaskInputRequestMessage MUST contain an LDAP AddRequest message ([RFC2251] section 4.7) with the following parameters:




The value for this parameter MUST be CN=ObjectPath, CN=IP Security, CN=System, DN for the root of the domain; where objectpath is ipsecfilter{Guid} (section, ipsecISAKMPPolicy{Guid} (section, ipsecNegotiationPolicy{Guid} (section, IPsecNFA{Guid} (section, or IpsecPolicy{Guid} (section


This field MUST specify the following attributes (sections,,,, and

For all objects ipsecfilter{Guid}, ipsecISAKMPPolicy{Guid}, ipsecNegotiationPolicy{Guid}, IPsecNFA{Guid}, IpsecPolicy{Guid}:

  • objectClass

  • ipsecName

  • ipsecID

  • distinguishedName

  • description

  • ipsecData

  • ipsecDataType

For ipsecISAKMPPolicy{Guid}:

  • ipsecOwnersReference

For ipsecfilter{Guid}:

  • ipsecOwnersReference

For ipsecNegotiationPolicy{Guid}:

  • ipsecOwnersReference

  • ipsecNegotiationPolicyAction

  • ipsecNegotiationPolicyType

For IPsecNFA{Guid}:

  • ipsecOwnersReference

The administrative plug-in waits for a response. If the TaskReturnStatus does not signal success (0), then the administrative plug-in MUST log an error, and then unbind as specified in section

Note When writing the new IPsec policy is complete, terminate the BindRequest as specified in section