We recently ran into an issue where we should not get a Meraki Security Appliance (MX) to integrate with Microsoft’s Active Directory. The Meraki dashboard was not particularly helpful in identifying why the connection was not working. The Event log just kept repeating the following error:
Unable to connect to Domain Controller. user: <username>, domain: <short name>, server: <server’s IP>
We did identify that the Username, Password, and IP were correct and that the MX could ping the Domain Controller.
Our next step was to perform a packet capture of the traffic between the MX and the Domain Controller. In the output of the .pcap file, you can see a client hello packet that’s trying to negotiate with the server trying to use 65 different supported cipher suites. The Server is responding with an immediate RESET response, which normally indicates that these suites are not supported.
Our Domain Controllers were Server 2012 R2 systems, during our search for a solution to the issue, We came across this KB: KB2919355
It’s important to note that this KB is actually a collection of 6 files that all need to be run, but in a specific order. During the running of the file for 2919355, we ran into another seperate issue where that file would not install. That problem was solved by running the following two hotfixes: Hotfix 2939087 and Hotfix 2975061. We then were able to install 2919355, as well as the remaining updated in the first KB article. Post reboot we were able to see the Meraki Dashboard report that it was now able to communicate with the Domain Controllers.
We ran another packet capture, and the output of the .pcap is displayed below. You can see that the Client Hello is now met with a Server Hello response packet instead of a RESET. If we dig down and view the cipher suite of the response we see that AES 256 SHA384 is being used, which apparently was not supported on Server 2012R2 before the above KB was installed.