Affected Versions: All
Cause:
By default, AD LDS requires that you perform password operations over a secure channel. If you try to reset a password over a non-secure channel (e.g., a default LDAP connection through LDP), you'll receive the error message: "Illegal modify operation. Some aspect of the modification is not permitted."
Resolution:
To resolve this problem, you should use an LDAP over Secure Sockets Layer (SSL) connection (which will require a certificate in place) to secure the connection.
Another option is to disable the secure-channel requirement so that you can reset the password over a non-secure, you should not use the option for your production environment. This method has security problems because the password can be read from the network.
To disable the secure-channel requirement, perform steps below.
- Start the ADSI Edit tool and connect to the "Configuration partition" of the AD LDS instance.
- Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN=\{GUID of the AD LDS instance}.
- Right-click "CN=Directory Service" and select Properties.
- Double-click the dSHeuristics attribute.
- Set the value to 0000000001001 and click OK, Click OK to the CN=Directory Service properties box.
Comments
Please sign in to leave a comment.