BugZero | WatchGuard Technologies BugID kA1Vr0000009KynKAE - Active Directory authentication fails with message...

WatchGuard Technologies - Defect ID: kA1Vr0000009KynKAE

Active Directory authentication fails with message "binding error:Strong(er) authentication required" after upgrade to Windows Server 2025 or when LDAP client encryption is enforced

WatchGuard Technologies - Defect ID: kA1Vr0000009KynKAE

Active Directory authentication fails with message "binding error:Strong(er) authentication required" after upgrade to Windows Server 2025 or when LDAP client encryption is enforced

Last updated on July 22nd, 2025

BugZero Risk Score
0.0 Coming soon

Overall: N/A

Severity: N/A

Community: N/A

Lifecycle: N/A

What is the BugZero Risk Score?

WatchGuard Technologies Integration

Learn more about where this data comes from

WatchGuard Technologies Integration

Learn more

BugZero Plan

Streamline upgrades with automated vendor bug scrubs

BugZero Plan

Learn more

BugZero Prevent

Wish you caught this bug sooner? Get proactive today.

BugZero Prevent

Learn more

Bug Details

Views: 114

Description

Issue

When an Active Directory authentication server is configured on the Firebox, authentications fail with a log message such as: Jan 7 11:17:06 2025 IVF-T25 local3.info admd[2929]: admLdapSessBindingChkResult: binding error:Strong(er) authentication required Jan 7 11:17:06 2025 IVF-T25 local3.info admd[2929]: admLdapSessBindingChkResult: more binding error:00002028: LdapErr: DSID-0C090343, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v65f4 Jan 7 11:17:06 2025 IVF-T25 local3.info admd[2929]: Auth for test@example.local result=3 ec=11(Ldap binding not successful) msg=search binding error, check your searching username or password Jan 7 11:17:06 2025 IVF-T25 local2.warn admd[2929]: msg_id="1100-0005" Authentication of Firewall user [test@example.local] from console was rejected, search binding error, check your searching username or password Jan 7 11:17:06 2025 IVF-T25 local3.info admd[2929]: admLdapSessFSM: failed to parse binding result, rc=11

Workaround/Solution

This issue might occur when LDAP client encryption is enabled in your default domain policy. This is enabled by default in Windows Server 2025. To keep the LDAP signing, binding, and client encryption settings enabled but still allow bind requests from the AuthPoint Gateway or a Firebox, you must set up LDAPS on the server. To disable LDAP client encryption: On the Windows Server, open Group Policy Management Editor . Go to Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options . Set Domain controller: LDAP server channel binding token requirements to When Supported. Set Domain controller: LDAP server signing requirements to None. Set Domain controller: LDAP server enforce signing requirements to Disabled. Set Network Security: LDAP client encryption requirements to Negotiate Sealing . Set Network security: LDAP client signing requirements to Negotiate Signing.

Change history

2025-07-22 Added: 12.0.x, 12.1, 12.1.1, 12.1.3, 12.10.x, 12.11.x, 12.2.x, 12.3.x, 12.4.x, 12.5.x, 12.6.x, 12.7.x, 12.8.x, 12.9.x

Top WatchGuard Technologies Defects

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

WatchGuard Technologies - Defect ID: kA1Vr0000009KynKAE

Active Directory authentication fails with message "binding error:Strong(er) authentication required" after upgrade to Windows Server 2025 or when LDAP client encryption is enforced

WatchGuard Technologies - Defect ID: kA1Vr0000009KynKAE

Active Directory authentication fails with message "binding error:Strong(er) authentication required" after upgrade to Windows Server 2025 or when LDAP client encryption is enforced

Last updated on July 22nd, 2025

BugZero Risk Score0.0 Coming soon

Bug Details

Issue

Workaround/Solution

Links

Top WatchGuard Technologies Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
0.0 Coming soon