KB Article #176606

Connection issues to Active Directory after applying MS14-066 / KB2992611

Problem

On 11/11/2014, Microsoft released a patch to address a security vulnerability discussed under CVE-2014-6321 - the patch in question is MS14-066 / KB2992611. It includes changes to the available TLS cipher suites, as well as addition of new ones, which operate in Galois/counter mode (GCM).

These changes appear to force the use of EDHCE cipher suite as preferred on the Windows Server [more specifically, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA], resulting in MailGate failing to establish TLS/SSL connection to its LDAP source in environments, where Active Directory on a Windows 2003 R2* / Windows 2008 R2* editions is used as an LDAP source.

When clicking on "Test connection" for the LDAP source in the Admin UI, a "Connection failed" error appears.

In the Application log, the following errors are present:

- If the connection is set to use SSL:
ERROR [LDAPConnection] LDAP Connection problem with Source_Name javax.naming.CommunicationException: simple bind failed: XX.XX.XX.XX:3269 [Root exception is java.net.SocketException: Connection reset]
        at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)

- If the connection is set to use TLS:
ERROR [LDAPEditContext$2] com.tumbleweed.validation.ValidationException: ldapConnectionProblemTLS
ERROR [LDAPEditContext] Cannot access attributes in the root context javax.naming.CommunicationException: java.net.SocketException: Connection reset [Root exception is javax.net.ssl.SSLException: java.net.SocketException: Connection reset]; remaining name ''

In the Windows Event Log, the following error is present:
The following fatal alert was generated: 20. The internal error state is 960.
[ Name]  Schannel
EventID 36888
EventData
  AlertDesc 20
  ErrorState 960

Affected MailGate services:

- Recipient verification will not work, if the lookup is set to "Live"
- LDAP-based administrator and user logins will fail
- If any policies that use LDAP-based address groups are enabled, email will be detained as per Content Policies > All policies > Settings > SMTP > LDAP Failure Action setting.


*other Windows-based servers may be affected as well.

Resolution

Following the issue encountered in the original patch, on 11/18/2014 Microsoft issued a revision of the KB:
[V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611 update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information.]
The revised KB3018238, available for install through Microsoft Updates, addresses the issue caused by the original update and allows MailGate to connect to LDAP over an encrypted channel again (TLS or SSL). Administrators who have already installed the problematic KB2992611 may need to re-install it.

Upon installing KB3018238 patch on a R2 server, the administrators get prompted whether they want to install KB2992611 or KB3018238 - KB3018238 must be selected as it is the one that fixes the issue with TLS/SSL connectivity to MailGate.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.