Hi PhoneBoy,

On the Windows Server 2022 Test AD Server, everything is running fine, and I can connect my firewall using LDAP. However, with the 2025 Datacenter AD Server, it is not possible, and I get the following error (see picture_1) when I click "Discover."

I have disabled the forced LDAPS requirement, but this did not resolve the issue. The output from LDP.exe confirms that access on port 389 without SSL is possible.

Where am I making a mistake?

Thanks and best regards,
Rafael

Have you disabled LDAP Server Signing as mentioned in the article I liked?

Hi PhoneBoy,

no i have only problems when i disable ldap server signing.

With Server 2022 everything running fine (a separate dev environment).

Have you an other article for disable server signing?

Thanks

Rafael

Hi PhoneBoy,

i have try to enable simple bind but i think it is not possible on Windows Server 2025. I have try 3 different How To’s unsuccessfully. ldp.exe write me -> This server needs stronger Authentication.

What can i do now?

Thanks

Rafael

If you're already using R81.10.15 and this isn't working please report the issue to TAC for investigation.

Pending their feedback & consultation with R&D it may require an RFE 

Maybe this can be resolved by disabling LDAP Server Signing, but our customer does not want to do that ! So we have opened a SR# for him...

TAC responded:

As a first step, it's recommended to perform a firmware version upgrade on the device to a newer version, R81.10.17 you can download the firmware image from the following download link:
R81.10.17 Download link for 1530.

Please let me know if the issue persist after the firmware upgrade.

Of course, upgrade did not resolve the issue and the SR# has no solution yet - and the customer is not willing to disable ldap server signing as this would mean to lower security on one end to get more security on the other. Also it looks like this procedure does not resolve the issue in all cases, if i sum up the discussion above. @Amir_Ayalon , any comments ?

Can you confirm that this is an issue relevant for GAiA Embedded only ? TAC did not mention that GAiA has the same issue, so if this is only SMB, please move the post to SMB !

This seems like it's just SMB related.
Probably should have moved this post earlier 🙂

I have news from R&D: The issue also impacts Gaia devices as well. 

We would like to inform you that Windows Server 2025 is currently not officially supported
for Active Directory integration with the gateway. When attempting to connect the gateway
to an AD server running Windows Server 2025, the integration fails during the LDAP bind
phase (simple bind).

Our teams are actively working on delivering a solution for this issue.

However, please note that we do not have an estimated timeline at this stage, so this is
currently considered a limitation.

As a temporary workaround, you may choose to disable LDAP signing, Please be aware that
this is not recommended due to the associated security risks.

Alternatively, we recommend using a supported version such as Windows Server 2022.

Do you have an SR I can review on this?

Not ready yet - but i will PM the SR#.

I got a different answer regarding the recommended support ver.. in my SR, RnD advised to use Windows Server 2019 and below which is the supported version, not 2022. Hope we get clear answers soon.

Your answer was not so very different - TAC told us to use versions older than Server 2025, on June 16th:

Our teams are actively working on delivering a solution for this issue. 

However, please note that we do not have an estimated timeline at this stage, so this is currently considered a limitation.

As a temporary workaround, you may choose to disable LDAP signing,  Please be aware that this is not recommended due to the associated security risks. 

Alternatively, we recommend using a supported version such as Windows Server 2022.

Still no SK and no fix available ! @itayravenna , any news yet ?

Hi @G_W_Albrecht Thanks for tagging me.
Our dev team is currently working on a fix.
We don’t have an ETA yet, but I’ve bookmarked this CheckMates thread and will post an update as soon as there’s news.

Is an SK available ?

Hi @G_W_Albrecht ,

We didn't publish an SK about it, no.

But we are actively working on fixing the WIN 25 integration

Still nothing from R&D - no SK, nothing 😞

Hi everyone,

I was able to resolve the issue by installing the latest Gaia Embedded firmware on the 1600 appliance and configuring Entra ID integration.
Now, users can connect via VPN, and authentication is handled through Microsoft Entra with two-factor authentication.

I'm very happy with this solution.

So the issue is not resolved, it is working now as you changed from DC LDAPS to Entra ID...

See https://community.checkpoint.com/t5/General-Topics/Thales-Mandatory-Security-Update-STA-RADIUS-Serve...

Even if you use RADIUS for authentication, LDAP is still necessary to get information about user groups.