DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 974522 - Last Review: October 7, 2011 - Revision: 2.0

Hotfix Download Available
View and request hotfix downloads
 

On This Page

SYMPTOMS

Consider the following scenario:
  • You have an application that uses the simple bind authentication method for the Lightweight Directory Access Protocol (LDAP). This authentication method is used to authenticate users on a domain controller that is running Windows Server 2008 Service pack 2 (SP2) or Windows Server 2008.
  • The distinguished name of your user account exceeds 256 characters.
  • You try to log on to the application by using this distinguished name.
In this scenario, the simple bind action fails.

For example, when you use the Ldp.exe utility to perform a simple bind action, you receive an error message that resembles the following:
res = ldap_simple_bind_s(ld, 'CN=testuser,OU=L5-
12345678901234567890123456789012345678901234567890,OU=L4-
12345678901234567890123456789012345678901234567890,OU=L3-
12345678901234567890123456789012345678901234567890,OU=L2-
12345678901234567890123456789012345678901234567890,OU=L1-
12345678901234567890123456789012345678901234567890,OU=test,DC=testdomain,DC=com', <unavailable>); // v.3

Error <49>: ldap_simple_bind_s() failed: Invalid
Credentials Server error: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 57, v1771
Error 0x80090308 The token supplied to the function is invalid

CAUSE

This problem occurs because the Windows authentication module incorrectly sets a maximum length limitation of 256 bytes for the distinguished name of the user account that is used in the simple bind action.

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix, the computer must be running Windows Server 2008 Service Pack 2 (SP2) or Windows Server 2008. Additionally, the computer must have Active Directory Domain Services (AD DS) installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2008 file information note
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.0.6001.18xxxWindows Server 2008SP1GDR
    6.0.6001.22xxxWindows Server 2008SP1LDR
    6.0.6002.18xxxWindows Server 2008SP2GDR
    6.0.6002.22xxxWindows Server 2008SP2LDR
  • Service Pack 1 is integrated into the original release of Windows Server 2008.
  • GDR service branches contain only fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008 SP2 and of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Pwdssp.dll6.0.6001.2251612,80007-Sep-200911:57x86
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Pwdssp.dll6.0.6002.2221912,80007-Sep-200909:32x86
For all supported x64-based versions of Windows Server 2008 SP2 and of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Pwdssp.dll6.0.6001.2251615,87207-Sep-200912:15x64
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Pwdssp.dll6.0.6002.2221915,87207-Sep-200911:49x64

WORKAROUND

To work around this problem, use one of the following methods:
  • Change the distinguished name of your user account to make sure that the length of the distinguished name is less than 256 characters.
  • Do not use the simple bind authentication method.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates

Additional file information for Windows Server 2008 SP2 and for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008 SP2 and of Windows Server 2008

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Package_for_kb974522_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot applicable1,43008-Sep-200906:29Not applicable
Package_for_kb974522_sc_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot applicable1,36008-Sep-200906:29Not applicable
Package_for_kb974522_sc~31bf3856ad364e35~x86~~6.0.1.0.mumNot applicable1,70108-Sep-200906:29Not applicable
Package_for_kb974522_server_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot applicable1,42708-Sep-200906:29Not applicable
Package_for_kb974522_server_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot applicable1,36408-Sep-200906:29Not applicable
Package_for_kb974522_server~31bf3856ad364e35~x86~~6.0.1.0.mumNot applicable1,71208-Sep-200906:29Not applicable
X86_microsoft-windows-security-pwdssp_31bf3856ad364e35_6.0.6001.22516_none_13beea410e9ba18f.manifestNot applicable5,13507-Sep-200913:33Not applicable
X86_microsoft-windows-security-pwdssp_31bf3856ad364e35_6.0.6002.22219_none_15a85d070bbf42b8.manifestNot applicable5,13507-Sep-200913:13Not applicable

Additional files for all supported x64-based versions of Windows Server 2008 SP2 and of Windows Server 2008

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-security-pwdssp_31bf3856ad364e35_6.0.6001.22516_none_6fdd85c4c6f912c5.manifestNot applicable5,15107-Sep-200913:52Not applicable
Amd64_microsoft-windows-security-pwdssp_31bf3856ad364e35_6.0.6002.22219_none_71c6f88ac41cb3ee.manifestNot applicable5,15107-Sep-200913:07Not applicable
Package_for_kb974522_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot applicable1,43808-Sep-200906:29Not applicable
Package_for_kb974522_sc_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot applicable1,36808-Sep-200906:29Not applicable
Package_for_kb974522_sc~31bf3856ad364e35~amd64~~6.0.1.0.mumNot applicable1,71108-Sep-200906:29Not applicable
Package_for_kb974522_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot applicable1,43508-Sep-200906:29Not applicable
Package_for_kb974522_server_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot applicable1,37208-Sep-200906:29Not applicable
Package_for_kb974522_server~31bf3856ad364e35~amd64~~6.0.1.0.mumNot applicable1,72208-Sep-200906:29Not applicable

REFERENCES

For more information about the LDAP simple bind, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/aa366994(VS.85).aspx (http://msdn.microsoft.com/en-us/library/aa366994(VS.85).aspx)

For more information about the maximum limits in the scalability of Active Directory, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc756101(WS.10).aspx#BKMK_NameLimits (http://technet.microsoft.com/en-us/library/cc756101(WS.10).aspx#BKMK_NameLimits)

APPLIES TO
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Web Server 2008
Keywords: 
kbbug kbfix kbautohotfix kbsurveynew kbqfe KB974522
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support