Welcome to the Cisco Small Business Community

Hello Nagaraj,

Thanks for your reply but I already tried to configure the router with this document.

I have the same error message....

I created a SSLVPN Policy, a security group, a "test" user,... like into documentation.

I have two questions :

1°) Is it possible to authenticate user with IPSec protocol (without SSLVPN)?

2°) Is it necessary to have the DC (AD Server) outside to LAN zone (like presented int page 2)?

Thanks again.

Regards.

Hi Benoit,

Server timeout typically means that the ISA is not receiving a response from the Server.  Can you ping the Server from the ISA?  Also, please try disabling (for testing only) the Firewall on the Server and test.  We've seen cases where the Firewall on the Server was blocking the LDAP requests.  Finally, you can run a packet capture on the ISA on the LAN to see what is going on with the LDAP communication.

Regarding your questions:  Yes, you should be able to authenticate IPSec users and the Server can be on the inside (LAN).  That was just an example they used on page 2.

Let me know if you have any questions regarding this.

Thanks,

Brandon

Hello Brandon,

Thanks for you answer.

To give you my feedback :

- Yes I can ping my DC from ISA.

- I have disabled Windows firewall on DC (turn off on all zones) and launch a query : I always received "Server TimeOut"...

- Ok for DC inside LAN zone (I seen it into troubleshooting part in the document...)

I will launch Packet Capture tool to see traffic on the first LAN port...

Regards.

Hi Benoit,

Ok, so if you can ping and you have disabled the firewall, then hopefully the packet captures will indicate what's going on. 

Thanks,

Brandon

Brandon,

After investigation with packet captures, I receive this error :

LDAPMessage bindResponse(1) strongAuthRequired (00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1)

Do you know what's the problem?

Thanks.

Hello ciscomax,

Thanks for your reply.

I've tried with this port number. Always same error....

I tried to use a simple LDAP client (ldp.exe) to launch a request.

I seems that simple binding with windows account doesn't work...

I continue to investiguate...

Regards.

Please find returned error with ldp.exe calling :

res = ldap_simple_bind_s(ld, 'test', ); // v.3

Error <8>: ldap_simple_bind_s() failed: Strong Authentication Required

Server error: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1

Error 0x2028 A more secure authentication method is required for this server.res = ldap_simple_bind_s(ld, 'test', ); // v.3

Hm, I'm not really sure if the ISA supports LDAPS, perhaps you can change the windows server to accept cleartext bind?

Michael

Please rate all helpful posts

Hello ciscomax,

Yes I have turn off "LDAP server signing requirements" from "Require signing" to "None".

It works. I can launch a LDAP request from ISA to DC and now resolve a windows account.

I'm just a little affraid to have to deactivate a main policy of Active Directory to a VPN access to my users....

Do you know if it's possible to find another way ? Really I think it's unsecure....

You could check policy in screenshot.

Regards.

You could use Radius, the credentials are secured with the shared secret.

No high security, but ok for this.

Michael

Please rate all helpful posts