Error: "Strong(er) authentication required" - Unable to connect to AD Server
- Article Number: 000003179
- Products: Email Security Gateway, Email Security Gateway Anywhere, Forcepoint Email Security, Forcepoint URL Filtering, Forcepoint Web Security, TRITON AP-EMAIL, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.1, 7.0
- Last Published Date: September 17, 2018
Notes & Warnings
Description: Determines which challenge/response authentication protocol is used for network logons. The choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
The default setting for servers is Send LM & NTLM responses .
Why can't I connect to my AD Server? I am trying to add Directory Objects/Clients. The Websense.log file is showing the following error:
WebsenseUserService,User Service (Directory Service Component),WsDSLdapDirService.cpp:3487,0x41480004,An error occurred while binding to the directory server. ldap_simple_bind: Strong(er) authentication required [<IP ADDRESS>, 3268, dom\websensesvc]
In ESG this error shows as "Unknown Reason". Running a packet capture from the appliance will show “Strong Authentication Required”.
For the error shown, the Domain Controller/LDAP Server does not support the LDAP_Simple_ Bind request that Websense uses to connect to it. You need to modify the Domain Controller security settings to support this type of authentication. Websense uses LDAP_Simple_ Bind requests to connect to it and pull user/group information.
The "Unknown Reason" error is returned when the Domain Controller default LAN Manager authentication level setting is set to Require Signing (as opposed to Negotiate Signing) or Refuse LM & NTLM Connections. This setting is automatically applied when applying the Hisecdc.inf security template which enforces the above setting in Group Policy. To change the security setting:
Once SMB Signing is enabled in Active Directory, ensure that SSL is enabled and that you are connecting to the Global Catalog Server over port 3269 in TRITON - Web Security directory setttings. To check this, go to Settings > Directory Server > Advanced Directory Settings.