Re: CheckPoint Quantum 1600 Cluster stronger authe...

LM-Rafael · ‎2025-01-08

Hi,

i have a quantum 1600 device which i need to authenticate against the new Windows Server 2025 AD Server. But i can only enter an IP Address and so is not possible to successfully connect my appliance with the LDAPS Windows Server. I get the error "Stronger authentication required". But i can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server.

What can i do to solve this issue?

Thanks for Help

Rafael

PhoneBoy · ‎2025-01-08

By what evidence do you conclude "I can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server"?

According to a TAC case with a similar error, we only supports LDAP simple binds and you need to disable LDAP server signing.
See: https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-window...

LM-Rafael · ‎2025-01-23

Hi PhoneBoy,

On the Windows Server 2022 Test AD Server, everything is running fine, and I can connect my firewall using LDAP. However, with the 2025 Datacenter AD Server, it is not possible, and I get the following error (see picture_1) when I click "Discover."

I have disabled the forced LDAPS requirement, but this did not resolve the issue. The output from LDP.exe confirms that access on port 389 without SSL is possible.

Where am I making a mistake?

Thanks and best regards,
Rafael

PhoneBoy · ‎2025-01-23

Have you disabled LDAP Server Signing as mentioned in the article I liked?

LM-Rafael · ‎2025-01-26

Hi PhoneBoy,

no i have only problems when i disable ldap server signing.

With Server 2022 everything running fine (a separate dev environment).

Have you an other article for disable server signing?

Thanks

Rafael

LM-Rafael · ‎2025-01-26

Hi PhoneBoy,

i have try to enable simple bind but i think it is not possible on Windows Server 2025. I have try 3 different How To’s unsuccessfully. ldp.exe write me -> This server needs stronger Authentication.

What can i do now?

Thanks

Rafael

Chris_Atkinson · ‎2025-01-26

If you're already using R81.10.15 and this isn't working please report the issue to TAC for investigation.

Pending their feedback & consultation with R&D it may require an RFE

CCSM R77/R80/ELITE

G_W_Albrecht

Maybe this can be resolved by disabling LDAP Server Signing, but our customer does not want to do that ! So we have opened a SR# for him...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

TAC responded:

As a first step, it's recommended to perform a firmware version upgrade on the device to a newer version, R81.10.17 you can download the firmware image from the following download link:
R81.10.17 Download link for 1530.

Please let me know if the issue persist after the firmware upgrade.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

Of course, upgrade did not resolve the issue and the SR# has no solution yet - and the customer is not willing to disable ldap server signing as this would mean to lower security on one end to get more security on the other. Also it looks like this procedure does not resolve the issue in all cases, if i sum up the discussion above. @Amir_Ayalon , any comments ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

CheckPoint Quantum 1600 Cluster stronger authentication required