KB Article | Forcepoint Support

Notes & Warnings

Additional information:
  • LDAP supports two kinds of bind calls, Simple_Bind and SASL (Simple Authentication and Security Layer). Websense uses LDAP_Simple_Bind requests to connect to the Domain Controller/LDAP Server.
    • Simple_Bind calls can either be anonymous over port 389, or a user/pass can be passed to the Domain Controller/LDAP Server to obtain more information (such as user/group membership). 
    • SASL is a much stronger authentication method that can require a signed certificate or other method of authenticating the user, which Websense is not able to supply.

 
LAN Manager authentication level

Description: Determines which challenge/response authentication protocol is used for network logons. The choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
 
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

  • Send LM & NTLM responses: Clients use LM and NTLM authentication, and never use NTLMv2 session security; DCs accept LM, NTLM, and NTLMv2 authentication. 
     
  • Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. 
     
  • Send NTLM response only: Clients use NTLM authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. 
     
  • Send NTLMv2 response only: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication. 
     
  • Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM (accept only NTLM and NTLMv2 authentication). 
     
  • Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM and NTLM (accept only NTLMv2 authentication).

The default setting for servers is Send LM & NTLM responses .

Problem Description

Why can't I connect to my AD Server? I am trying to add Directory Objects/Clients. The Websense.log file is showing the following error:
WebsenseUserService,User Service (Directory Service Component),WsDSLdapDirService.cpp:3487,0x41480004,An error occurred while binding to the directory server. ldap_simple_bind: Strong(er) authentication required [<IP ADDRESS>, 3268, dom\websensesvc]

In ESG this error shows as "Unknown Reason". Running a packet capture from the appliance will show “Strong Authentication Required”.
 

Resolution

For the error shown, the Domain Controller/LDAP Server does not support the LDAP_Simple_ Bind request that Websense uses to connect to it.  You need to modify the Domain Controller security settings to support this type of authentication. Websense uses LDAP_Simple_ Bind requests to connect to it and pull user/group information.
 
The "Unknown Reason" error is returned when the Domain Controller default LAN Manager authentication level setting is set to Require Signing (as opposed to Negotiate Signing) or Refuse LM & NTLM Connections. This setting is automatically applied when applying the Hisecdc.inf security template which enforces the above setting in Group Policy. To change the security setting: 
  1. Click Start > Run > gpedit.msc
  2. In the Group Policy Object Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  3. In this section, search for the following entries:
    • Domain Controller: LDAP Server signing requirements.
    • Network security: LDAP Client signing requirements
  4. To enable simple binds, set the above as follows:
    • Domain controller: LDAP server signing requirements = None
    • Network security: LDAP client signing requirements = Negotiate
If your security policies require that the LDAP server signing requirements remain enabled, then please ensure that SMB signing is also enabled in Active Directory. This allows Websense to connect using SSL.
 
Once SMB Signing is enabled in Active Directory, ensure that SSL is enabled and that you are connecting to the Global Catalog Server over port 3269 in TRITON - Web Security directory setttings. To check this, go to Settings > Directory Server > Advanced Directory Settings.




keywords: ldap; authentication; protocol; policy configuration; bind

Article Feedback



Thank you for the feedback and comments.