SASL authentication

[Paul Moore]

"That said, I've heard that a Windows DC will not accept an  
authenticated bind except over SSL/TLS.  Period.  Regardless of  
whether a SASL security layer is negotiated or not.  If that's not it,  
then I'm sorry I can't help."

Not so. GSS/SASL is its normal mode of operation. It is unusual to see
an AD server with SSL turned on 

What it wont accept is plain text binds over unencrypted channels