This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LDAPS Falling back to LDAP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LDAPS Falling back to LDAP

LeeSeeman
L1 Bithead

‎03-29-2022 02:11 PM

Our firewalls are configured for LDAPS on port 636 to our Windows DC. We have the require SSL/TLS option checked in the LDAP settings window. The useridd log shows:

 

2022-03-22 14:42:09.136 -0700 connecting to ldap://[dcserver]:636 with StartTLS...
2022-03-22 14:42:09.140 -0700 connecting to ldaps://[dcserver]:636 ...
2022-03-22 14:42:09.164 -0700 ldap cfg domain - LDAP connected to dcserver:636( index 0)

----

However, the DC server acting as LDAPS server is showing event ID: 2085 in Directory Service log with data: "the client and server cannot communicate, because they do not possess a common algorithm."

=======

The firewall appears to working as expected, but the LDAPS server is throwing these warnings. How can I address the event ID warnings on the LDAPS server?

 

CISSP, CCSP, CISA, CISM
0 Likes Likes
2 REPLIES 2

rmfalconer
L5 Sessionator

‎03-29-2022 04:13 PM

Have you run a packet capture on the DC to see what cipher suites are being offered from the PA?

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎03-31-2022 11:44 AM

Hey @LeeSeeman ,

It is strange to see "do not possess a common algorithm" with modern PanOS and Win Server versions.

What version of PanOS and DC are you running?

 

I don't believe there would be any difference, but have you tried to use port 389 in LDAP server profile in addition to "require TLS/SSL" enabled. As you can see from documentation it seems that 389 + require SSL/TLS  should use StartTLS

Astardzhiev_0-1648752108996.png

 

I am surprised to see in your logs "2022-03-22 14:42:09.136 -0700 connecting to ldap://[dcserver]:636 with StartTLS.."

Anyway again it doesn't make a lot of sense to have a difference, but way want to try.

0 Likes Likes
  • 2530 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks