LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Reply
L2 Linker

LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Hi,

 

while using LDAP-S (port 636) on a PAN Firewall for a connection to an active directory on a Windows Server 2019 I have the problem that the Firewall just can't connect.

 

If I try the "test" command for testing the authentication profile I get this:

 

Authentication to LDAP server at [....] for user "ldap"

Egress: [.....]

Type of authentication: GSSAPI

Starting LDAPS connection...

Failed to create a session with LDAP server

Authentication failed against LDAP server at [...] for user "ldap"

 

 

Authentication failed for user "ldap"

 

Because it worked with Windows Server 2016 I took TCP Dumps and could observe that the working connection to the Windows Server 2016 used TLS1.2 while the connection to the Windows Server 2019 used TLS1.

 

Could it be that the NGFW refuses the connection because of the TLS1 ?

 

Best regards,

Marc

 

 

Edit: On the Windows Server 2019 I activated LDAP-S and can connect to the localhost over port 636. So that can not be the problem.

 

 

L7 Applicator

Is it worth dropping this back to 389 just to ensure comms an bind is all ok.

L2 Linker

Hi,

 

thanks for your answer.

 

When I use LDAP over Port 389 everything works fine so the binding seems to be ok.

 

In addition to this Case I tried to connect over Port 636 to a Windows Server 2012 and 2016 what did work with no problems.

Only the connection to Windows Server 2019 does not work.

 

I think it has something to do with the Server using TLS1 by default.

I see this within the Windows Server 2019 options:

 

domainControllerFunctionality: 7 = ( WIN2016 ); 
domainFunctionality: 7 = ( Win2008R2 ); 
dsServiceName: CN=NTDS Settings,CN=[...],CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=[...],DC=[...]; 
forestFunctionality: 7 = ( Win2008R2 ); 

 

Maybe it has something to do with the reference to the Windows Server 2008R2 build and that this Server somehow prefers TLS1

what the NGFW denies...But  I have no proof or workaround so far.

 

Best regards,

Marc

 

 

 

L0 Member

I do not have a solution, but a possible work around.  I am having the same problem getting LDAPS to work with our Email Gateway.

 

I installed Wireshark to troubleshoot and discovered that the npcap drivers, which I installed with Wireshark, actually fixed the problem.  I could uninstall Wireshark and still connect to the domain controllers using LDAPS, but once I uninstalled npcap, LDAPS no longer worked.

 

This is not a solution I am comfortable with, but it may help set you on the right path to figuring out the root cause.

L2 Linker

Hi Bob,

 

very kind of you to share this detail.

I will add this to our local knowledge base!

 

I am kind of ashamed that I did not share the solution that I had regarding this case.

 

The problem on my side was that without SSL Decryption the application default services won't work.

I fixed that and everything worked fine. 

 

Have a great day!

 

Best regards,

Marc

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!