- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-15-2020 06:09 AM - edited 06-15-2020 07:19 AM
Hi,
while using LDAP-S (port 636) on a PAN Firewall for a connection to an active directory on a Windows Server 2019 I have the problem that the Firewall just can't connect.
If I try the "test" command for testing the authentication profile I get this:
Authentication to LDAP server at [....] for user "ldap"
Egress: [.....]
Type of authentication: GSSAPI
Starting LDAPS connection...
Failed to create a session with LDAP server
Authentication failed against LDAP server at [...] for user "ldap"
Authentication failed for user "ldap"
Because it worked with Windows Server 2016 I took TCP Dumps and could observe that the working connection to the Windows Server 2016 used TLS1.2 while the connection to the Windows Server 2019 used TLS1.
Could it be that the NGFW refuses the connection because of the TLS1 ?
Best regards,
Marc
Edit: On the Windows Server 2019 I activated LDAP-S and can connect to the localhost over port 636. So that can not be the problem.
06-16-2020 12:14 AM
Hi,
thanks for your answer.
When I use LDAP over Port 389 everything works fine so the binding seems to be ok.
In addition to this Case I tried to connect over Port 636 to a Windows Server 2012 and 2016 what did work with no problems.
Only the connection to Windows Server 2019 does not work.
I think it has something to do with the Server using TLS1 by default.
I see this within the Windows Server 2019 options:
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( Win2008R2 );
dsServiceName: CN=NTDS Settings,CN=[...],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=[...],DC=[...];
forestFunctionality: 7 = ( Win2008R2 );
Maybe it has something to do with the reference to the Windows Server 2008R2 build and that this Server somehow prefers TLS1
what the NGFW denies...But I have no proof or workaround so far.
Best regards,
Marc
09-15-2020 10:36 AM
I do not have a solution, but a possible work around. I am having the same problem getting LDAPS to work with our Email Gateway.
I installed Wireshark to troubleshoot and discovered that the npcap drivers, which I installed with Wireshark, actually fixed the problem. I could uninstall Wireshark and still connect to the domain controllers using LDAPS, but once I uninstalled npcap, LDAPS no longer worked.
This is not a solution I am comfortable with, but it may help set you on the right path to figuring out the root cause.
09-16-2020 02:31 AM
Hi Bob,
very kind of you to share this detail.
I will add this to our local knowledge base!
I am kind of ashamed that I did not share the solution that I had regarding this case.
The problem on my side was that without SSL Decryption the application default services won't work.
I fixed that and everything worked fine.
Have a great day!
Best regards,
Marc
01-31-2022 03:30 PM
Hi @Marc.Luecke ,
You are the man! Removing application default from my security poicy rule did the trick.
Thanks!
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!