Troubleshooting Tip: Authentication failures with LDAP users

• Validate the LDAP authentication with the following command:

CLI:

diagnose test authserver ldap <ldap_server_name> <username> <password>

GUI: Test the user credentials directly from the GUI. 

User & Authentication -> LDAP Servers -> Test credentials. 

When entering the username, the format depends on the configured Common Name Identifier:

• If the Common Name Identifier is set to 'sAMAccountName', use the User Logon Name from Windows Active Directory.
• If the Common Name Identifier is set to 'cn', the user must authenticate using the Display Name.

Technical Tip: Using logon name for the LDAP authentication

If the Common Name Identifier is configured as 'cn' and the User Logon Name is used for authentication, it will result in invalid credentials.

• Check the status of the processes by running the following command:

Fortigate-A # diagnose sys top 4 40 10

Run Time:  86 days, 3 hours and 9 minutes

24U, 0N, 4S, 72I, 0WA, 0HI, 0SI, 0ST; 16047T, 9314F

          fnbamd    29949      R      98.5     0.1    7

             wad    31715      S      52.7     0.4    1

             wad    31716      S      37.8     0.4    1

             wad    31717      R      17.4     0.4    0

          httpsd    31696      S       1.4     0.1    6

       ipsengine     9027      S <     0.9     1.0    3

        dnsproxy      267      S       0.9     0.3    3

       ipsengine     9026      S <     0.4     1.0    1
 

• After identifying the fnbamd process consuming high CPU resources, run the fnbamd debug process as follows:

Fortigate-A # diagnose debug application fnbamd -1

Debug messages will be on for 30 minutes.

Fortigate-A # diagnose debug enable

2025-02-11 09:43:52 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:52 failed to send auth_cert request

2025-02-11 09:43:53 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:53 failed to send auth_cert request

2025-02-11 09:43:53 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:53 failed to send auth_cert request

2025-02-11 09:43:53 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:53 failed to send auth_cert request

2025-02-11 09:43:55 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:55 failed to send auth_cert request

2025-02-11 09:43:56 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:56 failed to send auth_cert request

2025-02-11 09:43:56 send_request: Error sending errno=11(Resource temporarily unavailable)

If the above error appears in the debug, it indicates the certificate authentication failed due to network reachability. In this case, test the connectivity between the FortiOS with sniffer.

diagnose sniffer packet any 'host <ldap_server_ip> and port <server_port>' 6 0 1

• If no certificate error appears during packet capture, perform a restart of the fnbamd process with the following:

diagnose sys process pidof fnbamd     <- Verify process ID.
diagnose sys kill 9 <pidof>           <- Kill process.

• Verify that there is actually a new process ID for fnbamd by running the following command:

diagnose sys top 4 40 10

• Validate that the LDAP authentication is working now:

diagnose test authserver ldap <ldap_server_name> <username> <password>

Example: 

diagnose test authserver ldap AD_LDAP user1 password

Note:

Open a ticket with TAC if the problem is not resolved.

Related articles:

• Technical Tip: How to configure FortiGate to use an LDAP server
• Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd