topic Re: LDAPS inexplicably working on 2 DCs, not on 3rd in General Topics https://live.paloaltonetworks.com/t5/general-topics/ldaps-inexplicably-working-on-2-dcs-not-on-3rd/m-p/176644#M55209 <P>If they are actuall working on LDAPS,&nbsp; I don't want to step down the security if I don't have to!</P> Fri, 15 Sep 2017 00:12:06 GMT gwilson78 2017-09-15T00:12:06Z LDAPS inexplicably working on 2 DCs, not on 3rd https://live.paloaltonetworks.com/t5/general-topics/ldaps-inexplicably-working-on-2-dcs-not-on-3rd/m-p/176637#M55208 <P>Please suggest a better title, this issue has sent me through the ringer.</P><P>&nbsp;</P><P>We have a site with an MPLS connection down.&nbsp; The PAs use the domain controller in our datacenter for authentication for both admin, and GP users, which is over the MPLS.&nbsp; LDAP requests of coures.. fail.</P><P>&nbsp;</P><P>&nbsp;</P><P>We also have a DC in Azure, which the PA has an IPSEC tunnel attached through the backup broadband connection at the office.&nbsp; Users logging into computers onsite, eventually have their login sent to Azure, and they authenticate properly.</P><P>&nbsp;</P><P>External users trying to connect to the local VPN, can't authenticate.</P><P>&nbsp;</P><P>I created a new LDAP server profile, and a new authentication protocol.&nbsp; The only way it will work, is to set the port to 389, and to uncheck the SSL button.</P><P>&nbsp;</P><P>However, the two other LDAP server that are configured , which are setup from the panorama, AND are the same on all 15 of my PAs,&nbsp; use port 636, with the SSL box checked.&nbsp; On other PAs, there are no issues with Authentication.</P><P>&nbsp;</P><P>When I use ldp.exe to connect to the ldap servers, oddly enough, they all work with 389 no SSL.&nbsp; They also all FAIL when trying to connect with 636 and SSL.</P><P>&nbsp;</P><P>Is there some kind of magic allowing the other servers to work?&nbsp; I of course inherited the network, but I know we don't have a Cert Authority.&nbsp; So it would seem I haven't met the requirements for using LDAPS.&nbsp;</P><P>&nbsp;</P><P><STRONG>What I'm after, is trying to figure out how the main 2 servers are working on port 636, and if legitimate, I'd like to make those changes to the AZURE server.&nbsp; This way I can add the AZURE server to the list on the LDAP server profile, so i'm covered in the future.&nbsp; The only certificates configure on the PA, are a Root, Intermediate , and Wildcard certificate ( full chain)</STRONG></P><P>&nbsp;</P><P>Please let me know if you have any questions.</P><P>&nbsp;</P><P>Thank you!</P> Fri, 15 Sep 2017 00:08:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps-inexplicably-working-on-2-dcs-not-on-3rd/m-p/176637#M55208 gwilson78 2017-09-15T00:08:50Z Re: LDAPS inexplicably working on 2 DCs, not on 3rd https://live.paloaltonetworks.com/t5/general-topics/ldaps-inexplicably-working-on-2-dcs-not-on-3rd/m-p/176644#M55209 <P>If they are actuall working on LDAPS,&nbsp; I don't want to step down the security if I don't have to!</P> Fri, 15 Sep 2017 00:12:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ldaps-inexplicably-working-on-2-dcs-not-on-3rd/m-p/176644#M55209 gwilson78 2017-09-15T00:12:06Z