Skip to main content

LDAP Communication Lost to Active Directory Domain Controller

Symptom

Customers have reported issues with SecureAuth IdP communications to Active Directory Domain Controllers after applying Microsoft Security Advisory 2868725.

Applies to

Domain controller on a Windows Server running

SecureAuth IdP Version

OS Version

7.x+

  • Windows Server 2003

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

Cause

On November 12, 2013, Microsoft released Security Advisory 2868725 to address known weaknesses in the RC4 cipher. This update removes RC4 as an available cipher on affected systems through registry settings.

With the RC4 ciphers disabled, the only usable ciphers left for communication are AES 128/128 and AES 256/256. Active Directory Domain Controllers running Windows Server 2003 or configured for the functional level Windows Server 2003 are unable to communicate with AES Cipher. Thus, if the patch is applied to a SecureAuth IdP appliance, a mutually supported cipher will not be available and communications will no longer be possible with the domain controller(s).

Resolution

Use either of these solutions to resolve this issue:

  • Remove the Microsoft Security Advisory 286872 patch from the SecureAuth system. This will reverse the registry entries and restore communications to the domain controller.

  • Update the Active Directory infrastructure to functional level "Windows Server 2008" or greater to allow use of the AES ciphers.

References