New installation of Auth Connector on Windows 2016 Server
Users accessing WSS using IPSEC access method
Users log into domain, but when they access WSS they are deemed 'unauthenticated'
Users get access denied message when accessing resources they should be entitled to access
Auth Connector status in Portal show that it cannot reach 34/34 connections into WSS
SSL handshake issues with WSS trigger connectivity failure
SSL ciphers advertised by the client are not supported by WSS server
IPSEC tunnel into WSS
Users running on Windows machines, and login to local AD domain
Auth COnnector running on Windows 2016 server
Windows ciphers restricted for security purpose.
Auth COnnector accessing WSS via HTTP proxy, but HTTP proxy does not intercept requests
Modify Windows server ciphers to include any of the following ciphers supported by WSS. This is done by modifying the Windows server registry by following https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings and make sure we include one of the following:
PCAPs on the TCP 443 connection from Auth COnnector into WSS shows the following SSL handshake failure
- client sends SSL client hello with 3 ciphers
- Instead of SSL server hello coming back with most secure cipher negotiated, server closes the TCP connection.
- https://testssl.sh/ includes an excellent script to determine which ciphers are supported on back end. Running this against WSS gives the following list of ciphers returned, none of which match the client ciphers.
Once's both sides agreed on a common cipher, all worked fine.
The BBCA debug logs also contains an SSL exception which gives a clue that the SSL handshake failed.