topic Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?) in General Topics

LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Marc.Luecke — Mon, 15 Jun 2020 14:19:09 GMT

Hi,

while using LDAP-S (port 636) on a PAN Firewall for a connection to an active directory on a Windows Server 2019 I have the problem that the Firewall just can't connect.

If I try the "test" command for testing the authentication profile I get this:

Authentication to LDAP server at [....] for user "ldap"

Egress: [.....]

Type of authentication: GSSAPI

Starting LDAPS connection...

Failed to create a session with LDAP server

Authentication failed against LDAP server at [...] for user "ldap"

Authentication failed for user "ldap"

Because it worked with Windows Server 2016 I took TCP Dumps and could observe that the working connection to the Windows Server 2016 used TLS1.2 while the connection to the Windows Server 2019 used TLS1.

Could it be that the NGFW refuses the connection because of the TLS1 ?

Best regards,

Marc

Edit: On the Windows Server 2019 I activated LDAP-S and can connect to the localhost over port 636. So that can not be the problem.

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Mick_Ball — Mon, 15 Jun 2020 17:13:59 GMT

Is it worth dropping this back to 389 just to ensure comms an bind is all ok.

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Marc.Luecke — Tue, 16 Jun 2020 07:14:37 GMT

Hi,

thanks for your answer.

When I use LDAP over Port 389 everything works fine so the binding seems to be ok.

In addition to this Case I tried to connect over Port 636 to a Windows Server 2012 and 2016 what did work with no problems.

Only the connection to Windows Server 2019 does not work.

I think it has something to do with the Server using TLS1 by default.

I see this within the Windows Server 2019 options:

domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( Win2008R2 );
dsServiceName: CN=NTDS Settings,CN=[...],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=[...],DC=[...];
forestFunctionality: 7 = ( Win2008R2 );

Maybe it has something to do with the reference to the Windows Server 2008R2 build and that this Server somehow prefers TLS1

what the NGFW denies...But I have no proof or workaround so far.

Best regards,

Marc

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Bob_Foglia — Tue, 15 Sep 2020 17:36:33 GMT

I do not have a solution, but a possible work around. I am having the same problem getting LDAPS to work with our Email Gateway.

I installed Wireshark to troubleshoot and discovered that the npcap drivers, which I installed with Wireshark, actually fixed the problem. I could uninstall Wireshark and still connect to the domain controllers using LDAPS, but once I uninstalled npcap, LDAPS no longer worked.

This is not a solution I am comfortable with, but it may help set you on the right path to figuring out the root cause.

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Marc.Luecke — Wed, 16 Sep 2020 09:31:05 GMT

Hi Bob,

very kind of you to share this detail.

I will add this to our local knowledge base!

I am kind of ashamed that I did not share the solution that I had regarding this case.

The problem on my side was that without SSL Decryption the application default services won't work.

I fixed that and everything worked fine.

Have a great day!

Best regards,

Marc

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

TomYoung — Mon, 31 Jan 2022 23:30:28 GMT

Hi @Marc.Luecke ,

You are the man! Removing application default from my security poicy rule did the trick.

Thanks!

Tom