I'm using this article: http://msdn.microsoft.com/en-us/library/ms998360.aspx
When the user enters his user name and password, I query the AD domain controller with only port 389 or 636 open.
The query fails.
My connection string is correct, my dns is correct.
SSL is setup correctly on the server. (I can use ldp.exe and connect on either port and walk the AD tree)
Looking at the network capture, I can see the successful connect and bind with my configured connection user and password.
But the example app attempts to contact the untrusted Domain controller using netbios and port 445. This of course fails because the AD I am querying is not a trusted forest and that port is not allowed between firewalls.
If I open netbios, everything works correctly.
From the capture I can see it uses NTLM when the netbios port is open. It can't use Kerberos since the remote Domain Controller is not trusted by the forest the app is in.
Is there a method to authenticate a user against an untrusted AD forest domain controller only over port 389 or 636 and keep the functionailty of http://msdn.microsoft.com/en-us/library/ms998360.aspx?
My end goal is for the app user to be able to enter his normal AD credentials instead of having to remember another set stored on SQL or else where.
I'm running the example from my XP desktop using vs 2008.
Any help is appreciated. My support call to Microsoft Technical support said I would need to have port 445 open to do this.
Surely I cannot be the first to need this capability and opening 445 is not an option.