https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549260#M112085 <P>&nbsp;I am in the process of setting up LDAPS on an 850. I created an LDAPS server profile and pinted it to our server for credentials. Aftr creating that, I set up an Authentication profile and Authentication sequence (wasnt sure if it was needed but the documentation said it was optional. I created an admin account that has the authentication profile in it. I am still unable to use my AD credentials. Do I need to make a security and authentication profile as well?</P> <P>&nbsp;</P> <P>I also went in to the command line and tested the authentication profile. I get this error message:</P> <P>&nbsp;</P> <P>Failed to create a session with LDAP server</P> <P>Authentication failed against LDAP server at &lt;ip address&gt; for user "user"</P> Thu, 13 Jul 2023 15:50:37 GMT m.maldonado 2023-07-13T15:50:37Z https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549260#M112085 <P>&nbsp;I am in the process of setting up LDAPS on an 850. I created an LDAPS server profile and pinted it to our server for credentials. Aftr creating that, I set up an Authentication profile and Authentication sequence (wasnt sure if it was needed but the documentation said it was optional. I created an admin account that has the authentication profile in it. I am still unable to use my AD credentials. Do I need to make a security and authentication profile as well?</P> <P>&nbsp;</P> <P>I also went in to the command line and tested the authentication profile. I get this error message:</P> <P>&nbsp;</P> <P>Failed to create a session with LDAP server</P> <P>Authentication failed against LDAP server at &lt;ip address&gt; for user "user"</P> Thu, 13 Jul 2023 15:50:37 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549260#M112085 m.maldonado 2023-07-13T15:50:37Z https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549283#M112088 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/284777">@m.maldonado</a></P> <P>&nbsp;</P> <P>thanks for posting.</P> <P>&nbsp;</P> <P>To start with, could you go through this&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqYPCA0" target="_self">KB</A>&nbsp;to perform basic diagnostic and collect more logs. The&nbsp;authd.log should give you ultimate answer what the problem is. Also make sure that Bind and Base DN are correct. Note: To use LDAPS you have to import certificates used by LDAPS server to Firewall to form LDAP over SSL session. If this server is part of the AD, then you should import to Firewall root, intermediate, site CA certificates to have full certificate trust.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 13 Jul 2023 21:23:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549283#M112088 PavelK 2023-07-13T21:23:32Z https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549285#M112089 <P>I realized I said profilies when I meant to say policies. Will those need to created as well?</P> Thu, 13 Jul 2023 21:36:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549285#M112089 m.maldonado 2023-07-13T21:36:07Z https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549286#M112090 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/284777">@m.maldonado</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>By default the LDAP is using management interface for this communication, therefore there is no security policy required to allow this traffic. Have you set up a service route for LDAP to communicate over data plane interfaces? The reference is in this&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC" target="_self">KB</A>&nbsp;Point No.3</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 13 Jul 2023 21:41:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549286#M112090 PavelK 2023-07-13T21:41:39Z https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549383#M112101 <P>Hello,</P> <P>Check the logs to see if/where the traffic is getting blocked. If allowed on the Palo Alto, it could the LDAPS server blocking you so check its firewall if it has one. Also try just LDAP as a test and see if that works.</P> <P>Regards,</P> Fri, 14 Jul 2023 15:09:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps/m-p/549383#M112101 OtakarKlier 2023-07-14T15:09:45Z