LDAP Communication Lost to Active Directory Domain Controller
Symptom
Customers have reported issues with SecureAuth IdP communications to Active Directory Domain Controllers after applying Microsoft Security Advisory 2868725.
Applies to
Domain controller on a Windows Server running
SecureAuth IdP Version | OS Version |
|---|---|
7.x+ |
|
Cause
On November 12, 2013, Microsoft released Security Advisory 2868725 to address known weaknesses in the RC4 cipher. This update removes RC4 as an available cipher on affected systems through registry settings.
With the RC4 ciphers disabled, the only usable ciphers left for communication are AES 128/128 and AES 256/256. Active Directory Domain Controllers running Windows Server 2003 or configured for the functional level Windows Server 2003 are unable to communicate with AES Cipher. Thus, if the patch is applied to a SecureAuth IdP appliance, a mutually supported cipher will not be available and communications will no longer be possible with the domain controller(s).
Resolution
Use either of these solutions to resolve this issue:
Remove the Microsoft Security Advisory 286872 patch from the SecureAuth system. This will reverse the registry entries and restore communications to the domain controller.
Update the Active Directory infrastructure to functional level "Windows Server 2008" or greater to allow use of the AES ciphers.
References
More information about the Security Advisory 2868725 patch can be found in the Microsoft documentSecurity Advisory (2868725) Update for Disabling RC4.
Refer toUnderstanding Active Directory Domain Services (AD DS) Functional Levels for information about AD Domain Controllers on/for Windows 2003 that are unable to communicate with AES Cipher.