Skip to main content
sfernando
Staff
sfernando
Staff
March 17, 2026

Technical Tip: Selecting the correct 'user-database' for remote user authentication when using ZTNA HTTPS access proxy

  • March 17, 2026
  • 0 replies
  • 218 views
Description This article describes what a 'user-database' is to be used when using user authentication in a ZTNA HTTPS access proxy.
Scope FortiGate.
Solution

When accessing ZTNA destinations using ZTNA HTTPS access proxy, some services require additional authentication apart from the EMS TAGs. In such cases, it is necessary to configure the following commands:

 

config authentication scheme
    edit "TEST1"
        set method form
        set require-tfa enable
        set user-database "local-user-db"
    next

 

config authentication rule
    edit "ZTNA-MFA-Rule"
        set srcintf "virtual-wan-link"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "TEST1"
        set web-auth-cookie enable
    next
end

 

config user group
    edit "TESTGRP"
        set member "testuser1" "testuser2" 
    next


config user local
    edit "testuser1"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOBxxxxxxxx"
        set email-to "testuser1@fortinet.com"
        set ldap-server "Remote LDAP Server"

 

config user ldap
    edit "Remote LDAP Server"
        set server "192.168.50.16"
        set cnid "sAMAccountName"
        set dn "dc=fortinet,dc=com"
        set type regular
        set username "sydlab@foritnet"
        set password ENC roKpGO6

    next

 

config firewall proxy-policy
    edit 3
        set name "ZTNA-TEST"
        set proxy access-proxy
        set access-proxy "TEST1"
        set srcintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "EMS-TAG1"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "TESTGRP"
end

 

In cases where authentication is done with users with MFA enabled, it is required to import the users from the remote server (eg, LDAP) and add the token. As the user is imported to FortiGate, one might think of these as local users. Hence, the 'user database' is selected as 'local-user-db'.

 

Instead, it is necessary to select the remote LDAP server as the 'user-database'.

 

config authentication scheme
    edit "TEST1"
        set method form
        set require-tfa enable
        set user-database "Remote LDAP Server"   <---
    next

 

The fnbamd and WAD debugs will show as follows:

 

WAD debugs.

 

[I][p:448] wad_ui_netlink_route_on_event :5813 receive netlink route event.
[I][p:448] wad_ui_netlink_route_on_event :5813 receive netlink route event.
[I][p:448] wad_ui_netlink_route_on_event :5813 receive netlink route event.
[I][p:448] wad_ui_netlink_route_checker :5828 netlink route status checker 'netlink route status': now status: 2000939 last status:2000935
[I][p:448] wad_update_conf_checker :6583 checker netlink route status update
[W][p:11567] wad_fnbam_on_resp :67 fnbam_auth_get_result failed  <<<<<<<<<<<
[I][p:11567] wad_usr_pass_auth_on_fnbam_resp :757 finished password authentication testuser1/276388 res=error (oldres=error)    <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[I][p:11565] wad_unix_stream_on_read_msg :593 recvmsg
[I][p:11565] wad_unix_stream_on_read_msg :593 recvmsg
[I][p:11565] wad_unix_stream_on_read_msg :593 recvmsg
[I][p:11565] wad_unix_stream_on_read_msg :593 recvmsg

 

fnbamd debugs:

 

026-03-06 11:04:38 [1774] handle_req-Rcvd auth req 49679926231043 for testuser1 in opt=0000011e prot=9 svc=1
2026-03-06 11:04:38 [336] __compose_group_list_from_req-Group 'testuser1', type 5
2026-03-06 11:04:38 [511] create_auth_session-Session created for req id 49679926231043
2026-03-06 11:04:38 [357] auth_local-started for testuser1
2026-03-06 11:04:38 [429] auth_local-No conclusion, FNBAM_UNKNOWN
2026-03-06 11:04:38 [439] fnbamd_cfg_get_pop3_list-
2026-03-06 11:04:38 [396] __fnbamd_cfg_get_pop3_list_by_server-
2026-03-06 11:04:38 [221] fnbamd_pop3_get-vfid=0, name='testuser1'
2026-03-06 11:04:38 [333] fnbamd_pop3_auth_ctx_push-Failed to create pop3 ctx for 'testuser1'.
2026-03-06 11:04:38 [449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
2026-03-06 11:04:38 [889] fnbamd_auth_start-No remote authentication started  <<<<<<<<<<<<<
2026-03-06 11:04:38 [424] start_remote_auth-Error starting remote authentication  <<<<<<<<<<<<
2026-03-06 11:04:38 [900] update_auth_token_session-mfa_mandatory is off, only success results may require 2fa
2026-03-06 11:04:38 [1913] handle_req-Two-factor token is not needed
2026-03-06 11:04:38 [1917] handle_req-r=5
2026-03-06 11:04:38 [1947] handle_req-Error starting session
2026-03-06 11:04:38 [239] fnbamd_comm_send_result-Sending result 5 (nid 0) for req 49679926231043, len=2592
2026-03-06 11:04:38 [603] destroy_auth_session-delete session 49679926231043
    Terms & ConditionsAccessibility statement