LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Reply
Highlighted
L1 Bithead

LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Hi,

 

while using LDAP-S (port 636) on a PAN Firewall for a connection to an active directory on a Windows Server 2019 I have the problem that the Firewall just can't connect.

 

If I try the "test" command for testing the authentication profile I get this:

 

Authentication to LDAP server at [....] for user "ldap"

Egress: [.....]

Type of authentication: GSSAPI

Starting LDAPS connection...

Failed to create a session with LDAP server

Authentication failed against LDAP server at [...] for user "ldap"

 

 

Authentication failed for user "ldap"

 

Because it worked with Windows Server 2016 I took TCP Dumps and could observe that the working connection to the Windows Server 2016 used TLS1.2 while the connection to the Windows Server 2019 used TLS1.

 

Could it be that the NGFW refuses the connection because of the TLS1 ?

 

Best regards,

Marc

 

 

Edit: On the Windows Server 2019 I activated LDAP-S and can connect to the localhost over port 636. So that can not be the problem.

 

 

Highlighted
L7 Applicator

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Is it worth dropping this back to 389 just to ensure comms an bind is all ok.

Highlighted
L1 Bithead

Re: LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Hi,

 

thanks for your answer.

 

When I use LDAP over Port 389 everything works fine so the binding seems to be ok.

 

In addition to this Case I tried to connect over Port 636 to a Windows Server 2012 and 2016 what did work with no problems.

Only the connection to Windows Server 2019 does not work.

 

I think it has something to do with the Server using TLS1 by default.

I see this within the Windows Server 2019 options:

 

domainControllerFunctionality: 7 = ( WIN2016 ); 
domainFunctionality: 7 = ( Win2008R2 ); 
dsServiceName: CN=NTDS Settings,CN=[...],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=[...],DC=[...]; 
forestFunctionality: 7 = ( Win2008R2 ); 

 

Maybe it has something to do with the reference to the Windows Server 2008R2 build and that this Server somehow prefers TLS1

what the NGFW denies...But  I have no proof or workaround so far.

 

Best regards,

Marc

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!