The DsBindWithSpnEx function binds to a domain controller using the specified credentials and a specific service principal name (SPN) for mutual authentication. This function is similar to the DsBindWithSpn function except this function allows more binding options with the BindFlags parameter.
This function is provided where complete control is required over mutual authentication. Do not use this function if you expect DsBind to find a server for you, because SPNs are computer-specific, and it is unlikely that the SPN you provide will match the server that DsBind finds for you. Providing a NULLServicePrincipalName argument results in behavior that is identical to DsBindWithCred.
NTDSAPI_POSTXP DWORD DsBindWithSpnExA( LPCSTR DomainControllerName, LPCSTR DnsDomainName, RPC_AUTH_IDENTITY_HANDLE AuthIdentity, LPCSTR ServicePrincipalName, DWORD BindFlags, HANDLE *phDS );
Pointer to a null-terminated string that contains the fully qualified DNS name of the domain to bind. For more information, see the DomainControllerName description in the DsBind topic.
Pointer to a null-terminated string that contains the fully qualified DNS name of the domain to bind. For more information, see the DnsDomainName description in the DsBind topic.
Contains an RPC_AUTH_IDENTITY_HANDLE value that represents the credentials to be used for the bind. The
DsMakePasswordCredentialsfunction is used to obtain this value. If this parameter is NULL, the credentials of the calling thread are used.
Pointer to a null-terminated string that specifies the Service Principal Name to assign to the client. Passing NULL in ServicePrincipalName is equivalent to a call to the DsBindWithCred function.
Contains a set of flags that define the behavior of this function. This parameter can contain zero or a combination of the values listed in the following list.
Causes the bind to use the delegate impersonation level. This allows operations that require delegation, such as DsAddSidHistory, to succeed. Specifying this flag also causes DsBindWithSpnEx to operate like DsBindWithSpn.
If this flag is not specified, the bind will use the impersonate impersonation level. For more information, see Impersonation Levels.
Most operations do not require the delegate impersonation level, so this flag should only be specified if absolutely required. Binding to a rogue server with the delegate impersonation level will allow the rogue server to connect to a non-rogue server with your credentials and perform unintended operations.
Active Directory Lightweight Directory Services: If this flag is specified, DsBindWithSpnEx forces Kerberos authentication to be used. If Kerberos authentication cannot be established, DsBindWithSpnEx will not attempt to authenticate with any other method.
Address of a HANDLE value that receives the binding handle. To close this handle, pass it to the DsUnBind function.
Returns ERROR_SUCCESS if successful or a Windows or RPC error code otherwise. The following list lists common error codes.
|Minimum supported client||Windows Vista|
|Minimum supported server||Windows Server 2008|