This is issue is fixed in PAM 3.x
If you have Release PAM 2, verify the registry of the AD/LDAP servers: Java 7 can only support up to 1024 bit key, but many admins are starting to change Security options to accept a minimum of 2048 bit which cannot be handled by PAM 2.x currently.
To specify the Diffie-Helman key bit length for the TLS server default, create a ServerMinKeyBitLength entry.
This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to the desired bit length.
If not configured, 2048 bit will be the default.