We have a Server 2008 R2 box that we have installed a certificate on to enable LDAP over SSL. The encryption works fine for some devices, but others cannot connect. Cisco says this is because our Suite B certifcate using SHA 384 is forcing the system to only use TLS 1.2 encryption methods and they only support TLS 1.0 and 1.1 on the devices we have. I have a few questions about this: 1) How can I tell which ciphers are supported by my Server 2008 R2 SP1 system using the certificate I have installed? 2) Are all Secure LDAP connections negotiated using TLS 1.0. That is the way it looks in Wireshark, but Cisco says we are using TLS 1.2. How can I verify for sure. 3) Is the version of TLS used by Secure LDAP configurable. I can fix this using a modified template that uses SHA1, but would like to stay at SHA384 if possible.

Hi, 1) How can I tell which ciphers are supported by my Server 2008 R2 SP1 system using the certificate I have installed? >> To control the use of TLS, you need to set the cipher suite requirement for your computer that will force adherence to TLS 1.2. Use the following steps: 1.Using Group Policy, enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy setting. 2.Open Internet Explorer. On the Tools menu, click Internet Options. Click the Advanced tab, and then select the Use TLS 1.2 check box. 2) Are all Secure LDAP connections negotiated using TLS 1.0. That is the way it looks in Wireshark, but Cisco says we are using TLS 1.2. How can I verify for sure. >> For Windows 7 and Windows Server 2008 R2, TLS has been improved to version 1.2 in order to support. Hash negotiation. The client and server can negotiate any hash algorithm to be used as a built-in feature, and the default cipher pair MD5/SHA-1 has been replaced with SHA-256. Certificate hash or signature control. You can configure the certificate requester to accept only specified hash or signature algorithm pairs in the certification path. Suite Bcompliant cipher suites. Two cipher suites have been added so that the use of TLS can be Suite B compliant: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 3) Is the version of TLS used by Secure LDAP configurable. TLS/SSL can be used for application level protocols, such as File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP). others, please refer the above information. In addition, there is a useful article for your reference: Cipher Suites in Schannel http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx Hope this helps! Best regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Elytis Cheng TechNet Community Support

Hi, 1) How can I tell which ciphers are supported by my Server 2008 R2 SP1 system using the certificate I have installed? >> To control the use of TLS, you need to set the cipher suite requirement for your computer that will force adherence to TLS 1.2. Use the following steps: 1.Using Group Policy, enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy setting. 2.Open Internet Explorer. On the Tools menu, click Internet Options. Click the Advanced tab, and then select the Use TLS 1.2 check box. 2) Are all Secure LDAP connections negotiated using TLS 1.0. That is the way it looks in Wireshark, but Cisco says we are using TLS 1.2. How can I verify for sure. >> For Windows 7 and Windows Server 2008 R2, TLS has been improved to version 1.2 in order to support. Hash negotiation. The client and server can negotiate any hash algorithm to be used as a built-in feature, and the default cipher pair MD5/SHA-1 has been replaced with SHA-256. Certificate hash or signature control. You can configure the certificate requester to accept only specified hash or signature algorithm pairs in the certification path. Suite Bcompliant cipher suites. Two cipher suites have been added so that the use of TLS can be Suite B compliant: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 3) Is the version of TLS used by Secure LDAP configurable. TLS/SSL can be used for application level protocols, such as File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP). others, please refer the above information. In addition, there is a useful article for your reference: Cipher Suites in Schannel http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx Hope this helps! Best regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Elytis Cheng TechNet Community Support

Hi, Thanks for posting in Microsoft TechNet forums. As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Elytis ChengElytis Cheng TechNet Community Support