This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 11%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFV%3C/text%3E%3C/svg%3E)
Hello everyone !
I have a problem of LDAPS links with our Firewall, it only supports the following ciphers:
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
on Azure side, only the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) cipher is proposed to our firewall, which makes the LDAPS connection fail.
How to add the necessary ciphers to our Azure AD Domain Services?
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Apologies for the delay in answering this post.
As far I understand you want to add cipher suites which are supported by your firewall to make LDAPS connection successful ?
As far I know Azure AD DS being managed domain, we don't have the privilege to modify cipher suites, however let me check at my end if there is a way to achieve the your ask mentioned in the question.
Thank you for the detailed ask related to cipher suites with respect to Azure AD DS. Discussed your issue with the product group team, would request you to open a case with MS support who can work with the team to check if it is feasible or not to change the cipher suites.
If you don't have MS support plan then I can help you with one-time free support. Hope this helps.
Let me know if you have any questions.
@GirishVaryani
Thanks for your reply.
You perfectly understand my needed. i already asked to Stormshield witch is the manufacturer of my firewall but they deprecated cipher suite handel by Azure AD DS for security reasons and tells me to see on Azure side.
Unfortunatly i don't have MS support, if you can help me to open a ticket i'll appreciate that.
Thanks for your help.
Offline discussion update/resolution:
Discussed issue with our team, "We do update the cipher suite for TLS connections on DCs but haven’t really looked into LDAPS. We obviously need to look into this more since we don’t recall ever receiving a request to change LDAPS cipher suite but changing one off config for you would be extremely hard to do. And allowing to secure the ldaps cipher suites via a feature would take time and probably won’t be prioritized immediately.
Not to mention we would have to get security clearance about any potential cipher suite updates that are not already published as secure by Microsoft (like we do for SSL/TLS channel)"
As changing Cipher suites was not possible at Azure. @Florian VARENNE followed alternative approach to resolve the issue VPN site to site with the Stormshield and Azure then a simple LDAP without TLS through the VPN
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.