LdapConnection port 636 connects without SSL

Question

I have set up a Active Directory server in my virtual machine and enabled LDAP over SSL according to the following link: https://support.microsoft.com/en-us/kb/321051

I used ldp.exe to test my setting and was able to connect to port 636 and with "SSL" checkbox checked. I then unchecked the "SSL" checkbox and tried connection to port 636 again. I expected the connection to fail since port 636 is reserved for LDAP over SSL. However, to my surprise, the connection still went through. I am perplexed. Is it normal that I can connect to Active Directory using port 636 but without SSL?

public static LdapConnection CreateLdapConnection(string server, int port, bool IsSSL, string userDN, string password, out string err)
{
    err = null;
    LdapConnection con = new LdapConnection(new LdapDirectoryIdentifier(server, port));

    if (IsSSL)
    {
        con.SessionOptions.SecureSocketLayer = true;
        con.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
    }
    con.Credential = new NetworkCredential(userDN, password);
    con.AuthType = AuthType.Basic;

    try
    {
        con.Bind();
    }
    catch (Exception ex)
    {
        if (ex.Message.Contains("The supplied credential is invalid"))
        {
            err = "Invalid ldap user password";
        }
        else if (ex.Message.Contains("The LDAP server is unavailable"))
        {
            err = "Invalid server address or port number";
        }
        else
        {
            err = ex.Message;
        }
    }

    return con;
}

I also used the above code to test ldap connection in my application and it is able to connect when the IsSSL variable is false.

Answer 1

It is probably using the StartTLS protocol whereby the connection starts in plaintext, then the client issues StartTLS, then both sides upgrade to SSL.