SMG unable to establish secure LDAPS connection with Active directory after upgrade to 10.7.4
search cancel

SMG unable to establish secure LDAPS connection with Active directory after upgrade to 10.7.4


Article ID: 205852


Updated On:


Messaging Gateway


Following the update to Messaging Gateway 10.7.4, the Directory Integration with Microsoft Active Directory fails if it is configured to use TLS secured LDAPS. Depending on the SMG configuration this can significantly impact SMG's ability to accept and scan email depending on which directory dependant features are enabled (Recipient Validation, LDAP based policy groups, Control Center authentication, etc)


[LoggingDDS] ERROR - 800402 Permanent failure while attempting to search data source: AD: Unsupported ciphersuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384

Caused by: org.springframework.ldap.CommunicationException: ad.server:636; nested exception is javax.naming.CommunicationException: ad.server:636 [Root exception is java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384]


Release : 10.7.4

Component : Directory Integration / LDAPS


This issue may be caused by running SMG in FIPS mode which restricts the available cipher list for LDAPS connections.


This issue is currently under investigation and may be the result of running SMG in FIPS mode. To confirm whether SMG is running in FIPS mode, please run the following command from the admin command line interface (CLI):

smg [10.7.4-13]> fipsmode status
FIPS mode

If the system is running in FIPS mode and you are able to disable FIPS mode, this may resolve the issue with LDAPS connections. To disable FIPS mode, you can run the following command from the admin CLI:

smg [10.7.4-13]> fipsmode off
After changing FIPS mode, the host will reboot
Are you sure you wish to proceed?  [N/y]: y
Rebuilding initrd.  Please wait.
non-FIPS mode set.
Please wait for reboot


If Active Directory has not beein updated to require TLS secured LDAP this issue may be temporarily resolved by switching to unencrypted LDAP:

  1. Go to Administration > Directory Integration
  2. Select the Directory Data Source
  3. Uncheck "Enable SSL"
  4. Click Save