15/06/2023, 11:36 AD Agent - Server 2016 LDAPS Issue

Welcome to the Forcepoint Customer Hub!

A place where you can easily find solutions and ask questions

Home (/S/) Search...

Help & Resource Center (/S/Knowledge-Base) Communities (/S/Group/CollaborationGroup/00B20000006kZ7aEAE) Ca

We are investigating an issue whereby emails are failing to reach cases on an intermittent basis. While this is being worked on, we ask that

customers and partners update cases via comments on the Customer Hub to ensure they are reaching your assigned Technical Support Engineer

Title

AD Agent - Server 2016 LDAPS Issue

Article Number

000040395

Summary

Resolving connectivity issues with AD agent for LDAPS

Notes & Warnings

Note: Forcepoint does not host the websites. Therefore, the links may change without notice. Forcepoint does not guarantee the accuracy

of the information.

Problem

While installing an AD agent, an admin may choose to utilize LDAPS (LDAP over SSL).  They may find that the LDAPS fails to connect,
however, regular LDAP works fine. 

Resolution

ffie-Hellman (ECDH)
The issue lies in SSL cipher suites that utilize Elliptical Curve Di . Microsoft made changes in Windows 10 and

Server 2016 that sometimes result in SSL failures due to cipher suite negotiation. See the following article for further information:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server

(https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)

Workaround

By re-ordering the curve types, the SSL connection sent by the AD agent can correctly negotiate.

   The default ECC curve order in Windows Server 2016 is as follows:

                curve25519 value:29(0x1d)

                nistP256    value:23(0x17)

                nistP384    value:24(0x18)

1. On Windows Server 2016, open command prompt, type gpedit.msc (Without Quotes) and hit Enter. The Group Policy Object Editor
appears.

2. Navigate to Computer Configuration > Administrative Templates > Network >  SSL Configuration Settings

3. Under SSL Configuration Settings, double click on ECC Curve Order.
4. In the ECC Curve Order pane, select Enabled
5. Under ECC Curve order, add the following one per line
■ NistP256

■ NistP384

6. ​Click Apply > OK
7. Restart the server for the changes to be applied.
 

Related Information:

Troubleshooting Forcepoint ONE's Active Directory Sync Agent (https://support.forcepoint.com/s/article/AD-Agent-Sync-

Troubleshooting-1648249643851)

https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls (https://learn.microsoft.com/en-us/windows-

server/security/tls/manage-tls)

https://support.forcepoint.com/s/article/AD-Agent-Server-2016-LDAPS-Issue-1646857311875 1/2
15/06/2023, 11:36 AD Agent - Server 2016 LDAPS Issue

Keywords: 115004035293; SSL; tls; handshake; ldaps; adagent; ad agent; cipher; windows; con figure; policy; users; authenticate

URL Name

AD-Agent-Server-2016-LDAPS-Issue-1646857311875

Was this article helpful? 0 0

Files (0) (/s/relatedlist/ka2Ho000000PFoDIAW/AttachedContentDocuments)

Feedback

Contact Us (https://www.forcepoint.com/company/contact-us) Free Trials & Demos (https://www.forcepoint.com/free-trials-demos)

Careers (https://www.forcepoint.com/company/careers) Case Studies (https://www.forcepoint.com/resources/case-studies)

 (https://www.linkedin.com/company/forcepoint?trk=fc_badge)
 (https://www.facebook.com/ForcepointLLC)  (https://twitter.com/forcepointsec)
 (https://www.youtube.com/channel/UC4MbQECdktvwewRlAFwT_-w)  (http://blogs.forcepoint.com)
Legal Information (https://www.forcepoint.com/website-terms-and-conditions) Privacy Policy (https://www.forcepoint.com/privacy-policy)

© 2023 Forcepoint LLC. All Rights Reserved

https://support.forcepoint.com/s/article/AD-Agent-Server-2016-LDAPS-Issue-1646857311875 2/2