question

FlorianVARENNE-1589 avatar image
0 Votes"
FlorianVARENNE-1589 asked Givary-MSFT edited

Cipher suites LDAPS Azure ADDS

Hello everyone !

I have a problem of LDAPS links with our Firewall, it only supports the following ciphers:

TLS_AES_128_GCM_SHA256 (0x1301)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

on Azure side, only the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) cipher is proposed to our firewall, which makes the LDAPS connection fail.

How to add the necessary ciphers to our Azure AD Domain Services?

Thank you.

azure-ad-domain-services
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Givary-MSFT avatar image Givary-MSFT ·

@FlorianVARENNE-1589

Apologies for the delay in answering this post.

As far I understand you want to add cipher suites which are supported by your firewall to make LDAPS connection successful ?

As far I know Azure AD DS being managed domain, we don't have the privilege to modify cipher suites, however let me check at my end if there is a way to achieve the your ask mentioned in the question.

0 Votes 0 ·

2 Answers

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered FlorianVARENNE-1589 commented

@FlorianVARENNE-1589

Thank you for the detailed ask related to cipher suites with respect to Azure AD DS. Discussed your issue with the product group team, would request you to open a case with MS support who can work with the team to check if it is feasible or not to change the cipher suites.

If you don't have MS support plan then I can help you with one-time free support. Hope this helps.

Let me know if you have any questions.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FlorianVARENNE-1589 avatar image FlorianVARENNE-1589 ·

@GirishVaryani

Thanks for your reply.

You perfectly understand my needed. i already asked to Stormshield witch is the manufacturer of my firewall but they deprecated cipher suite handel by Azure AD DS for security reasons and tells me to see on Azure side.

Unfortunatly i don't have MS support, if you can help me to open a ticket i'll appreciate that.

Thanks for your help.

0 Votes 0 ·
Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered Givary-MSFT edited

@FlorianVARENNE-1589

Offline discussion update/resolution:

Discussed issue with our team, "We do update the cipher suite for TLS connections on DCs but haven’t really looked into LDAPS. We obviously need to look into this more since we don’t recall ever receiving a request to change LDAPS cipher suite but changing one off config for you would be extremely hard to do. And allowing to secure the ldaps cipher suites via a feature would take time and probably won’t be prioritized immediately.

Not to mention we would have to get security clearance about any potential cipher suite updates that are not already published as secure by Microsoft (like we do for SSL/TLS channel)"

As changing Cipher suites was not possible at Azure. @FlorianVARENNE-1589 followed alternative approach to resolve the issue VPN site to site with the Stormshield and Azure then a simple LDAP without TLS through the VPN

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.