SMG unable to establish secure LDAPS connection with Active directory after upgrade to 10.7.4
search cancel

SMG unable to establish secure LDAPS connection with Active directory after upgrade to 10.7.4

book

Article ID: 205852

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Following the update to Messaging Gateway 10.7.4, the Directory Integration with Microsoft Active Directory fails if it is configured to use TLS secured LDAPS. Depending on the SMG configuration this can significantly impact SMG's ability to accept and scan email depending on which directory dependant features are enabled (Recipient Validation, LDAP based policy groups, Control Center authentication, etc)

Error

[LoggingDDS] ERROR - 800402

com.symantec.sms.dds.api.exception.DataAccessSearchFailureException: Permanent failure while attempting to search data source: AD: Unsupported ciphersuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384

Caused by: org.springframework.ldap.CommunicationException: ad.server:636; nested exception is javax.naming.CommunicationException: ad.server:636 [Root exception is java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384]

Environment

Release : 10.7.4

Component : Directory Integration / LDAPS

Cause

This issue may be caused by running SMG in FIPS mode which restricts the available cipher list for LDAPS connections.

Resolution

This issue is currently under investigation and may be the result of running SMG in FIPS mode. To confirm whether SMG is running in FIPS mode, please run the following command from the admin command line interface (CLI):

smg [10.7.4-13]> fipsmode status
FIPS mode

If the system is running in FIPS mode and you are able to disable FIPS mode, this may resolve the issue with LDAPS connections. To disable FIPS mode, you can run the following command from the admin CLI:

smg [10.7.4-13]> fipsmode off
After changing FIPS mode, the host will reboot
Are you sure you wish to proceed?  [N/y]: y
Rebuilding initrd.  Please wait.
non-FIPS mode set.
Please wait for reboot

Workaround

If Active Directory has not beein updated to require TLS secured LDAP this issue may be temporarily resolved by switching to unencrypted LDAP:

  1. Go to Administration > Directory Integration
  2. Select the Directory Data Source
  3. Uncheck "Enable SSL"
  4. Click Save

Powered by Wolken Software