Staff

Troubleshooting Tip: Remote LDAPS users fails to connect to SSL VPN with the error unhandled critical extension

Forum|Forum|3 months ago
March 11, 2026
0 replies
400 views

Description

This article describes the issue of being unable to connect to SSL VPN with LDAPS and provides a step-by-step guide to resolve the problem. The user is experiencing issues with authentication due to a certificate validation error.

Scope

FortiGate.

Solution

Test connectivity with the LDAPS server is successful, but authentication fails when attempting to connect to the VPN.

Packet captures were collected on the LDAP server during the VPN connection attempt. The analysis shows that the firewall returns a 'Certificate Unknown' error, even though both the Intermediate CA and Root CA certificates are installed on the firewall.

Verification of the fnbamd debug logs shows the following error occurring during the authentication process:

[1407] __ldap_tcps_connect-Start ldap conn timer.
[1686] __verify_cb-Cert error 34, unhandled critical extension. Depth 0. Subject '/DC=COM/DC=FORTISHEALTHCARE
/OU=Domain Controllers/CN=FHLAZ0DCP003'
[1374] __ldap_tcps_connect-tcps_connect(172.20.1.14) failed: ssl_connect() failed: 167772294 (error:0A000086:
SSL routines::certificate verify failed).

Verified the server certificate and observed that critical extensions were marked in the certificate.

The issue is related to the server certificate, where certain extensions were marked as critical during the certificate signing process. To resolve this issue, the server certificate must be re-signed with the 'Make this extension critical' option unchecked.