UserID Group Mapping with Windows 2008 Server

UserID Group Mapping with Windows 2008 Server

19502
Created On 09/25/18 19:43 PM - Last Modified 01/27/21 02:38 AM


Symptom


An attempt to configure LDAP, group mapping fails if the 2008 domain controller does not allow simple LDAP bind requests. When attempting to expand the Active Directory root object to browse to the groups, Error message: "Strong(er) authentication required" is displayed.

ldap_error.JPG.jpg

Environment


  • Windows 2008 Server.
  • LDAP Group Mappings.
  • Palo Alto Firewall.
  • PAN-OS 7.1 and above.

Cause


The error might occur if the Domain Controller default LAN Manager authentication level setting is set to Require Signing (as opposed to Negotiate Signing) or Refuse LM & NTLM Connections. This setting is automatically applied when applying the Hisecdc.inf security template which enforces the above setting in Group Policy.

Resolution


To resolve, follow this procedure on the Domain Controller used by the firewall (LDAP server profile):

  • In the Group Policy Object Editor, select the following: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • In this section, search for the following entries:
    • Domain Controller: LDAP Server signing requirements.
    • Network security: LDAP Client signing requirements.
  • To enable simple binds, set the above as follows:
    • Domain controller: LDAP server signing requirements = None
    • Network security: LDAP client signing requirements = Negotiate

negotiate_noe.JPG.jpg

 

 

Additional Information


Note: The procedure will also work for the Windows 2012 Server.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language