LDAPS Falling back to LDAP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LDAPS Falling back to LDAP

L1 Bithead

Our firewalls are configured for LDAPS on port 636 to our Windows DC. We have the require SSL/TLS option checked in the LDAP settings window. The useridd log shows:

 

2022-03-22 14:42:09.136 -0700 connecting to ldap://[dcserver]:636 with StartTLS...
2022-03-22 14:42:09.140 -0700 connecting to ldaps://[dcserver]:636 ...
2022-03-22 14:42:09.164 -0700 ldap cfg domain - LDAP connected to dcserver:636( index 0)

----

However, the DC server acting as LDAPS server is showing event ID: 2085 in Directory Service log with data: "the client and server cannot communicate, because they do not possess a common algorithm."

=======

The firewall appears to working as expected, but the LDAPS server is throwing these warnings. How can I address the event ID warnings on the LDAPS server?

 

CISSP, CCSP, CISA, CISM
2 REPLIES 2

L5 Sessionator

Have you run a packet capture on the DC to see what cipher suites are being offered from the PA?

Hey @LeeSeeman ,

It is strange to see "do not possess a common algorithm" with modern PanOS and Win Server versions.

What version of PanOS and DC are you running?

 

I don't believe there would be any difference, but have you tried to use port 389 in LDAP server profile in addition to "require TLS/SSL" enabled. As you can see from documentation it seems that 389 + require SSL/TLS  should use StartTLS

Astardzhiev_0-1648752108996.png

 

I am surprised to see in your logs "2022-03-22 14:42:09.136 -0700 connecting to ldap://[dcserver]:636 with StartTLS.."

Anyway again it doesn't make a lot of sense to have a difference, but way want to try.

  • 2637 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!