03-29-2022 02:11 PM
Our firewalls are configured for LDAPS on port 636 to our Windows DC. We have the require SSL/TLS option checked in the LDAP settings window. The useridd log shows:
2022-03-22 14:42:09.136 -0700 connecting to ldap://[dcserver]:636 with StartTLS...
2022-03-22 14:42:09.140 -0700 connecting to ldaps://[dcserver]:636 ...
2022-03-22 14:42:09.164 -0700 ldap cfg domain - LDAP connected to dcserver:636( index 0)
----
However, the DC server acting as LDAPS server is showing event ID: 2085 in Directory Service log with data: "the client and server cannot communicate, because they do not possess a common algorithm."
=======
The firewall appears to working as expected, but the LDAPS server is throwing these warnings. How can I address the event ID warnings on the LDAPS server?
03-29-2022 04:13 PM
Have you run a packet capture on the DC to see what cipher suites are being offered from the PA?
03-31-2022 11:44 AM
Hey @LeeSeeman ,
It is strange to see "do not possess a common algorithm" with modern PanOS and Win Server versions.
What version of PanOS and DC are you running?
I don't believe there would be any difference, but have you tried to use port 389 in LDAP server profile in addition to "require TLS/SSL" enabled. As you can see from documentation it seems that 389 + require SSL/TLS should use StartTLS
I am surprised to see in your logs "2022-03-22 14:42:09.136 -0700 connecting to ldap://[dcserver]:636 with StartTLS.."
Anyway again it doesn't make a lot of sense to have a difference, but way want to try.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
