while using LDAP-S (port 636) on a PAN Firewall for a connection to an active directory on a Windows Server 2019 I have the problem that the Firewall just can't connect.
If I try the "test" command for testing the authentication profile I get this:
Authentication to LDAP server at [....] for user "ldap"
Type of authentication: GSSAPI
Starting LDAPS connection...
Failed to create a session with LDAP server
Authentication failed against LDAP server at [...] for user "ldap"
Authentication failed for user "ldap"
Because it worked with Windows Server 2016 I took TCP Dumps and could observe that the working connection to the Windows Server 2016 used TLS1.2 while the connection to the Windows Server 2019 used TLS1.
Could it be that the NGFW refuses the connection because of the TLS1 ?
Edit: On the Windows Server 2019 I activated LDAP-S and can connect to the localhost over port 636. So that can not be the problem.
thanks for your answer.
When I use LDAP over Port 389 everything works fine so the binding seems to be ok.
In addition to this Case I tried to connect over Port 636 to a Windows Server 2012 and 2016 what did work with no problems.
Only the connection to Windows Server 2019 does not work.
I think it has something to do with the Server using TLS1 by default.
I see this within the Windows Server 2019 options:
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( Win2008R2 );
dsServiceName: CN=NTDS Settings,CN=[...],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=[...],DC=[...];
forestFunctionality: 7 = ( Win2008R2 );
Maybe it has something to do with the reference to the Windows Server 2008R2 build and that this Server somehow prefers TLS1
what the NGFW denies...But I have no proof or workaround so far.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!