An attempt to configure LDAP, group mapping fails if the 2008 domain controller does not allow simple LDAP bind requests. When attempting to expand the Active Directory root object to browse to the groups, Error message: "Strong(er) authentication required" is displayed.
Environment
Windows 2008 Server.
LDAP Group Mappings.
Palo Alto Firewall.
PAN-OS 7.1 and above.
Cause
The error might occur if the Domain Controller default LAN Manager authentication level setting is set to Require Signing (as opposed to Negotiate Signing) or Refuse LM & NTLM Connections. This setting is automatically applied when applying the Hisecdc.inf security template which enforces the above setting in Group Policy.
Resolution
To resolve, follow this procedure on the Domain Controller used by the firewall (LDAP server profile):
In the Group Policy Object Editor, select the following: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
In this section, search for the following entries:
Domain Controller: LDAP Server signing requirements.