Forum Discussion

Warren_129981's avatar
Warren_129981
Icon for Nimbostratus rankNimbostratus
Feb 13, 2014

Client unable to bind to LDAPs through LTM virtual for LDAPS

I have setup my F5 LTM 11.4.0 to have a virtual server that is receiving LDAP requests over 636. I have a profile setup with a cert/key for the client communication and a server profile setup with no...
big-ip ltm
pmilot's avatar
pmilot
Icon for Altostratus rankAltostratus
Feb 15, 2014

Hi Kevin,

 

Today we found the issue and wanted to share it on this thread. The issue appears to be a problem with Microsoft AD. Microsoft AD is not behaving correctly when the client requests a TLS1.2 connection, and the AD LDAP certificate is signed with RSA-SHA256.

 

If the certificate is signed with RSA-SHA1, no problem with TLS1.2.

 

Although this is appears to be an AD problem, the solution we implemented was to disable TLS1.2 from the protocol list on the server SSL profile. "!TLS1_2"

 

Now F5 negotiates over TLS1.1 and everything works.

 

The reason it was working when we did not decrypt at the F5 was because the client application was negotiating using TLS1.1 all along while the F5 was using TLS1.2 when we enabled the serverssl profile.

 

On a previous post I mentioned one of the scenario with re-encryption was working when plain text on the client side but after today we think we might of got lost in the dozen test cases we had gone through.

 

Thanks allot for engaging.

 

Pat