Auth Connector fails to connect to WSS

book

Article ID: 198307

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

New installation of Auth Connector on Windows 2016 Server

Users accessing WSS using IPSEC access method

Users log into domain, but when they access WSS they are deemed 'unauthenticated'

Users get access denied message when accessing resources they should be entitled to access

Auth Connector status in Portal show that it cannot reach 34/34 connections into WSS

 

Cause

SSL handshake issues with WSS trigger connectivity failure

SSL ciphers advertised by the client are not supported by WSS server

Environment

IPSEC tunnel into WSS

Users running on Windows machines, and login to local AD domain

Auth COnnector running on Windows 2016 server

Windows ciphers restricted for security purpose.

Auth COnnector accessing WSS via HTTP proxy, but HTTP proxy does not intercept requests

 

Resolution

Modify Windows server ciphers to include any of the following ciphers supported by WSS. This is done by modifying the Windows server registry by following https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings and make sure we include one of the following:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Additional Information

PCAPs on the TCP 443 connection from Auth COnnector into WSS shows the following SSL handshake failure

- client sends SSL client hello with 3 ciphers

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_256_CBC_SHA384 (0xc024)

- Instead of SSL server hello coming back with most secure cipher negotiated, server closes the TCP connection.

- https://testssl.sh/ includes an excellent script to determine which ciphers are supported on back end. Running this against WSS gives the following list of ciphers returned, none of which match the client ciphers.

Once's both sides agreed on a common cipher, all worked fine.

The BBCA debug logs also contains an SSL exception which gives a clue that the SSL handshake failed.

Attachments