{"id":1794,"date":"2026-02-26T22:21:11","date_gmt":"2026-02-27T04:21:11","guid":{"rendered":"https:\/\/zewwy.ca\/?p=1794"},"modified":"2026-02-28T14:28:00","modified_gmt":"2026-02-28T20:28:00","slug":"stronger-authentication-required","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2026\/02\/26\/stronger-authentication-required\/","title":{"rendered":"Strong(er) authentication required"},"content":{"rendered":"<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Stronger_authentication_required\"><\/span>Strong(er) authentication required<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Time for another annoying story&#8230; So, I wanted to configure my personal VPN at home using Global Protect&#8230; So, I went back to view my old blog posts on how to do this to polish up on the process again. And low and behold on following Step one, authentication I already hit a new road block. IT is such a fun time *sarcasm*, so when I went to enumerate the groups in the group mapping section of the PAN I was hit with the good ol&#8217; error &#8220;Strong(er) authentication required&#8221; as you can see right here:<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/XEpBW99.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/XEpBW99.png\" alt=\"\" width=\"638\" height=\"433\" \/><\/a><\/p>\n<p>Looking this up online I found a <a href=\"https:\/\/www.reddit.com\/r\/paloaltonetworks\/comments\/165nka5\/pa_ldap_settings\/\">Reddit post<\/a> linking to a <a href=\"https:\/\/knowledgebase.paloaltonetworks.com\/KCSArticleDetail?id=kA10g000000ClbqCAC\">PAN KB<\/a>. Which states this happens when you have LDAP hardening enabled, at least for older Windows Server (2008 referenced), when I wrote my old blog post I was running 2016, and I had updated it to 2022. So, asking AI about it, (by copying and pasting the line from the KB) if this hardening was enabled by default at first it was like &#8220;No&#8221; then after a couple back n forth was like yeah but &#8220;cause of CBT (LDAP Channel Binding)&#8221;&#8230;<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/8DzYBQj.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/8DzYBQj.png\" alt=\"\" width=\"346\" height=\"177\" \/><\/a><\/p>\n<p>Classic pedantic AI&#8230; So&#8230; what are my options?<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Option_1_Disable_CBT_LDAP_Channel_Binding\"><\/span>Option 1) Disable CBT LDAP Channel Binding<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The &#8220;not recommended option&#8221;<\/p>\n<p><strong>Registry Path<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p><strong>Value Name<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>LdapEnforceChannelBinding\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p><strong>Value Type<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>REG_DWORD\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p><strong>Possible Values<\/strong><\/p>\n<ul>\n<li><strong>0<\/strong> \u2014 <em>Disable enforcement<\/em> (CBT not required; effectively disables CBT requirement)<\/li>\n<li><strong>1<\/strong> \u2014 <em>Enable enforcement for supported clients only<\/em><\/li>\n<li><strong>2<\/strong> \u2014 <em>Always enforce CBT<\/em> (strict)<\/li>\n<\/ul>\n<p>To <strong>disable CBT enforcement<\/strong>, set:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<pre><code>LdapEnforceChannelBinding = 0<\/code><\/pre>\n<div><strong>Registry Path<\/strong><\/div>\n<pre>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters<\/pre>\n<div><strong>Value Type<\/strong><\/div>\n<pre>(REG_DWORD)<\/pre>\n<div><strong>Value Name<\/strong><\/div>\n<pre>LDAPServerIntegrity<\/pre>\n<div>0 = None 1 = Negotiate 2 = Require Signing<\/div>\n<\/div>\n<\/div>\n<div><\/div>\n<div>Then, reboot&#8230; and&#8230;<\/div>\n<div><\/div>\n<div><a href=\"https:\/\/i.imgur.com\/Kn4BayS.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/Kn4BayS.png\" alt=\"\" width=\"634\" height=\"433\" \/><\/a><\/div>\n<div>Problem solved, *dusts hands*. Now in my case with a single DC, and a home lab this def could be good enough&#8230; but in most cases, you&#8217;ll probably have to implement then next option.<\/div>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Option_2_LDAPS\"><\/span>Option 2) LDAPS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This is the more annoying but secure option.<\/p>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"1_Plan_the_certificate_setup\"><\/span>1. Plan the certificate setup<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>You need each domain controller that will serve LDAPS to have a certificate with:<\/p>\n<ul>\n<li><strong>Key usage:<\/strong> Digital Signature, Key Encipherment<\/li>\n<li><strong>Enhanced Key Usage:<\/strong> Server Authentication (OID <code>1.3.6.1.5.5.7.3.1<\/code>)<\/li>\n<li><strong>Subject \/ SAN:<\/strong> Includes the DC\u2019s <strong>FQDN<\/strong> (e.g. <code>dc01.contoso.com<\/code>)<\/li>\n<\/ul>\n<p>You can use:<\/p>\n<ul>\n<li><strong>Internal AD CS<\/strong> (most common)<\/li>\n<li class=\"ps-2\">Or a <strong>public CA<\/strong> if clients are external and not domain\u2011joined.<\/li>\n<\/ul>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"2_Install_Certificate_Authority_if_you_dont_already_have_one\"><\/span>2. Install Certificate Authority (if you don\u2019t already have one)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><a href=\"https:\/\/zewwy.ca\/index.php\/2018\/03\/01\/setup-off-line-root-ca-part-1\/\">Setup Offline Root CA (Part 1) \u2013 Zewwy&#8217;s Info Tech Talks<\/a><\/p>\n<p><a href=\"https:\/\/zewwy.ca\/index.php\/2018\/03\/02\/remove-existing-enterprise-root-ca-part-2\/\">Remove Existing Enterprise Root CA (Part 2) \u2013 Zewwy&#8217;s Info Tech Talks<\/a><\/p>\n<p><a href=\"https:\/\/zewwy.ca\/index.php\/2018\/03\/19\/setup-subordinate-ca-part-3\/\">Setup Subordinate CA (Part 3) \u2013 Zewwy&#8217;s Info Tech Talks<\/a><\/p>\n<p>Or just install a primary Enterprise CA if you don&#8217;t want to do it the secure way.<\/p>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"3_Create_a_certificate_template_for_domain_controllers_optional_but_recommended\"><\/span>3. Create a certificate template for domain controllers (optional but recommended)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>On the CA:<\/p>\n<ol start=\"1\">\n<li>Open <strong>Certification Authority<\/strong> \u2192 right\u2011click <strong>Certificate Templates \u2192 Manage<\/strong>.<\/li>\n<li>Duplicate <strong>\u201cKerberos Authentication\u201d (recommended)<\/strong>\u00a0or <strong>\u201cComputer\u201d<\/strong> template.<\/li>\n<li>On the new template:\n<ul>\n<li><strong>General:<\/strong> Give it a name like <strong>\u201cDomain Controller LDAPS\u201d<\/strong>.<\/li>\n<li><strong>Subject Name:<\/strong> Set to <strong>\u201cBuild from this Active Directory information\u201d<\/strong> with <strong>DNS name<\/strong> checked.<\/li>\n<li><strong>Extensions:<\/strong> Confirm <strong>Server Authentication<\/strong> is present in EKU.<br \/>\nI removed Smart card, and Client Auth.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Security tab:<\/strong> Allow <strong>Domain Controllers<\/strong> group <strong>Enroll<\/strong> (and <strong>Autoenroll<\/strong> if you want auto\u2011deployment).<\/li>\n<li class=\"ps-2\">Close, then in <strong>Certification Authority<\/strong>, right\u2011click <strong>Certificate Templates \u2192 New \u2192 Certificate Template to Issue<\/strong>, and select your new template.<\/li>\n<\/ol>\n<h3><span class=\"ez-toc-section\" id=\"4_Enroll_the_certificate_on_the_domain_controller\"><\/span>4. Enroll the certificate on the domain controller<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>On each DC:<\/p>\n<ol start=\"1\">\n<li>Open <strong>mmc.exe<\/strong> \u2192 <strong>File \u2192 Add\/Remove Snap-in<\/strong> \u2192 add <strong>Certificates<\/strong> for <strong>Computer account<\/strong>.<\/li>\n<li>Navigate to <strong>Personal \u2192 Certificates<\/strong>.<\/li>\n<li>Right\u2011click <strong>Personal \u2192 All Tasks \u2192 Request New Certificate<\/strong>.<\/li>\n<li>Choose your <strong>\u201cDomain Controller LDAPS\u201d<\/strong> (or equivalent) template \u2192 <strong>Enroll<\/strong>.<\/li>\n<li class=\"ps-2\">Confirm the new cert appears under <strong>Personal \u2192 Certificates<\/strong>, with:\n<ul>\n<li>Private key present<\/li>\n<li>Intended purposes includes <strong>Server Authentication<\/strong><\/li>\n<li>Subject\/SAN includes the DC\u2019s FQDN.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>*Bonus* &#8211; I got hung up here for a while with no templates showing in the CA snapin on the DC, and it turns out it was cause the OFFLINE root CA cert somehow was on in the trust root store. I&#8217;m have no idea how that happened, but yeah&#8230; shrug&#8230;.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"5_Verify_LDAPS_is_active_on_port_636\"><\/span>5. Verify LDAPS is active on port 636<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>On the DC:<\/p>\n<ol start=\"1\">\n<li>Restart the <strong>Active Directory Domain Services<\/strong> service or reboot the DC (simpler).<\/li>\n<li>Use <strong>ldp.exe<\/strong> (built\u2011in tool):\n<ul>\n<li>Run <code>ldp.exe<\/code>.<\/li>\n<li><strong>Connection \u2192 Connect\u2026<\/strong><\/li>\n<li>Server: DC FQDN, Port: <strong>636<\/strong>, check <strong>SSL<\/strong> \u2192 <strong>OK<\/strong>.<\/li>\n<li>If the certificate is correct and trusted, the connection should succeed.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3><span class=\"ez-toc-section\" id=\"6_Import_the_Offline_Root_and_SubCA_Certs_into_PAN_Firewall\"><\/span>6. Import the Offline Root and SubCA Certs into PAN Firewall<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Import the certificates as Base64. Then edit the LDAP profile for port636 and check off SSL. You&#8217;ll need to create a dedicated rule to allow SSL on a nonstandard port by either having service set to any on the rule or creating a custom application and port for SSL on port 636. Then testing again&#8230;<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/Kn4BayS.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/Kn4BayS.png\" alt=\"\" width=\"634\" height=\"433\" \/><\/a><\/p>\n<p>Hope this helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Strong(er) authentication required Time for another annoying story&#8230; So, I wanted to configure my personal VPN at home using Global Protect&#8230; So, I went back to view my old blog posts on how to do this to polish up on the process again. And low and behold on following Step one, authentication I already hit &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2026\/02\/26\/stronger-authentication-required\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Strong(er) authentication required&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[4,6,127,8],"tags":[188,495],"class_list":["post-1794","post","type-post","status-publish","format-standard","hentry","category-infosec","category-networking","category-palo-alto-networks","category-server-administration","tag-certificate","tag-ldaps"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1794"}],"version-history":[{"count":3,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1794\/revisions"}],"predecessor-version":[{"id":1797,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1794\/revisions\/1797"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}