SUMMARY:
Database administrators must explicitly define port 636 within the LDAP:// prefix to correctly enforce Secure LDAP (LDAPS) communication for SQL Server ADSI-linked servers, thereby eliminating insecure cleartext credential transmission and resolving the common Msg 7321 error caused by using the technically correct but unsupported LDAPS:// syntax.
- Standard ADSI-linked server queries communicate over unencrypted LDAP port 389, which is flagged during security hardening because it exposes bind credentials in cleartext.
- The Microsoft OLE DB Provider,
ADsDSOObject, used by SQL Server linked servers, does not reliably support theLDAPS://URI scheme, which typically results in the vague and unhelpfulMsg 7321error. - The proven method for enforcing Secure LDAP is utilizing the
LDAP://<domain>:636format, which correctly instructs the ADSI provider to establish an encrypted SSL/TLS tunnel to the domain controller. - True security remediation requires a three-step validation process: confirming firewall connectivity to port 636, inspecting the domain controller’s certificate details, and verifying that the SQL Server trusts the certificate’s issuing authority.
Proper implementation requires not only the correct connection syntax but also thorough validation steps to ensure the entire LDAPS connection is fully trusted and encrypted on the SQL Server host.
Table of contents
- SUMMARY:
- The Challenge: Remediating LDAP Simple Bind in SQL Server
- The Initial Query: A Standard ADSI OPENQUERY
- The LDAPS:// Pitfall and the Dreaded Msg 7321
- The Correct Approach: Explicitly Defining the Secure Port
- Beyond Syntax: A 3-Step Security Validation Process
- The Final, Secure Query Template
- Conclusion
The Challenge: Remediating LDAP Simple Bind in SQL Server
As part of ongoing security hardening, many organizations are tasked with eliminating insecure LDAP Simple Binds. When your SQL Server instances use linked servers with the ADsDSOObject provider to query Active Directory (AD), this traffic can be flagged as a vulnerability. The goal is to ensure all communication with AD, including credential transmission, is fully encrypted.
This naturally leads to the question: How do you force the ADSI-linked server to use Secure LDAP (LDAPS) over port 636? The answer is less straightforward than it appears and can lead you down a path of frustrating and generic error messages.
This post will walk you through the common pitfalls and provide a straightforward, validated method for securing your ADSI queries.
The Initial Query: A Standard ADSI OPENQUERY
Let’s start with a typical OPENQUERY used to retrieve user information from Active Directory.
SQL
SELECT sn as [LastName],
givenName as [Firstname],
mail as [eMailAddress]
FROM OPENQUERY( ADSI, 'SELECT mail, sn, givenName
FROM ''LDAP://my-corp.net/ou=Company Users,dc=my-corp,dc=net''
WHERE objectCategory = ''User'' AND mail IS NOT NULL')
ORDER BY 1, 2;By default, this query communicates over the standard, unencrypted LDAP port 389, exposing the bind credentials in cleartext. The obvious solution is to force it to use the secure port 636.
The LDAPS:// Pitfall and the Dreaded Msg 7321
Most modern LDAP tools and documentation will tell you the correct URI scheme for Secure LDAP is LDAPS://. Following this advice, you might rewrite your query like this:
SQL
-- This query will likely FAIL
FROM OPENQUERY( ADSI, 'SELECT mail, sn
FROM ''LDAPS://my-corp.net/ou=Company Users,dc=my-corp,dc=net''
WHERE objectCategory = ''User'' ')Executing this query almost always results in a vague and unhelpful error message:
Msg 7321, Level 16, State 2, Line 1 An error occurred while preparing the query “…” for execution against OLE DB provider “ADSDSOObject” for linked server “ADSI”.
This is the central problem: while LDAPS:// is technically correct in the broader LDAP world, the specific Microsoft OLE DB Provider (ADsDSOObject) used by SQL Server’s linked server feature does not reliably support this syntax.
The Correct Approach: Explicitly Defining the Secure Port
The proven and reliable method to enforce LDAPS with the ADSI provider is to stick with the LDAP:// prefix but explicitly specify port 636 in the connection string.
SQL
-- This is the CORRECT and working syntax
FROM OPENQUERY( ADSI, 'SELECT mail, sn
FROM ''LDAP://my-corp.net:636/ou=Company Users,dc=my-corp,dc=net''
WHERE objectCategory = ''User'' ')This syntax, while less intuitive, correctly instructs the provider to create an encrypted SSL/TLS tunnel to the domain controller on the LDAPS port. This effectively secures the Simple Bind process by wrapping the entire communication in a layer of encryption.
Beyond Syntax: A 3-Step Security Validation Process
Just because the query runs without error doesn’t mean your work is done. True security remediation requires validation. From the SQL Server host itself, you must confirm that the connection is not only connecting but is fully trusted and encrypted.
Step 1: Verify Port Connectivity
First, confirm that the SQL Server can reach the domain controller on the LDAPS port. A quick PowerShell test will do the trick.
PowerShell
Test-NetConnection -ComputerName my-corp.net -Port 636A TcpTestSucceeded : True result confirms that no firewalls are blocking the connection.
Step 2: Inspect the Domain Controller’s Certificate
Next, verify the identity of the server you’re connecting to. You can use PowerShell to retrieve and inspect the certificate that the domain controller presents during the SSL handshake.
PowerShell
$tcpClient = New-Object System.Net.Sockets.TcpClient("my-corp.net", 636)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, ({$true}))
$sslStream.AuthenticateAsClient("my-corp.net")
$cert = $sslStream.RemoteCertificate
$cert | Format-List Subject, Issuer, NotBefore, NotAfterThis script will output the certificate details. You want to confirm two key fields:
- Subject: Should match the FQDN of your domain controller (e.g.,
CN=DC1.my-corp.net). - Issuer: Should show who issued the certificate, which in most corporate environments is an internal Certificate Authority (e.g.,
CN=MyCorp-CA, DC=my-corp, DC=net).
Step 3: Confirm Certificate Trust on the SQL Server
Finally, the SQL Server itself must trust the authority that issued the domain controller’s certificate. Since the certificate was issued by MyCorp-CA, we need to ensure the SQL Server trusts this internal CA.
- On the SQL Server, run
mmc.exe. - Go to
File > Add/Remove Snap-in…. - Select
Certificates, clickAdd, chooseComputer account, and clickFinish. - Navigate to
Trusted Root Certification Authorities > Certificates. - Look for the certificate of your issuer (e.g.,
MyCorp-CA).
If the certificate is present, your server trusts the LDAPS connection, making it fully validated and secure.
The Final, Secure Query Template
Here is the final, production-ready template for querying Active Directory securely from a SQL Server ADSI-linked server, incorporating best practices for readability and security.
SQL
SELECT sn AS [LastName],
givenName AS [FirstName],
COALESCE(department, 'No Dept') AS [Department],
displayName AS [DisplayName],
mail AS [EmailAddress],
COALESCE(telephoneNumber, '') AS [PhoneNumber],
userPrincipalName AS [UPN],
sAMAccountName AS [AccountName]
FROM
OPENQUERY(
ADSI,
'SELECT sAMAccountName,
displayName,
givenName,
sn,
mail,
userPrincipalName,
department,
telephoneNumber
FROM ''LDAP://my-corp.net:636/ou=Company Users,dc=my-corp,dc=net''
WHERE objectCategory = ''User'' '
)
WHERE mail IS NOT NULL
AND sn IS NOT NULL
ORDER BY sn, givenName;Conclusion
Securing LDAP queries in SQL Server is a common but often misunderstood task. While the LDAPS:// prefix is the standard in many applications, the ADSI OLE DB provider requires the LDAP://<domain>:636 syntax to establish a secure connection. By using the correct syntax and performing a thorough 3-step validation, you can ensure your linked server connections are safe, compliant, and free of the frustrating Msg 7321 error.
For more information, please contact us.