Skip to main content
tino_p
Staff
tino_p
Staff
March 11, 2026

Technical Tip: A connection error that occurs when using the FortiPAM native launchers

  • March 11, 2026
  • 0 replies
  • 234 views
Description

This article describes a connection error that occurs when using the FortiPAM native launchers (such as native Putty, native RDP, WinSCP) to access a server, whereas the connection is working fine when using WebSSH, WebRDP.

 

For example, in this topology:

FortiPAM [172.X.X.100/port1] ==== [172.X.X.1] Switch ==== [172.X.X.15] Server.

 

This connection error is initiated by selecting the 'Putty' icon under 'Secrets' on FortiPAM.

 

error1.png
Scope FortiPAM.
Solution
  1. Collect the FortiVRS and FortiTCS log in client side.
  1. FortiVRS debug log on FortiClient: Technical Tip: FortiPAM enable FortiVRS debug logs on FortiClient.
  2. Run diagnostics in FortiClient application: FortiClient -> Settings -> About -> Diagnostic Tool, then select 'Run'.
    The log location will open automatically after generating the diagnostic logs.
  3. FortiClient logs in client computer:

C:\Program Files\Fortinet\FortiClient\logs\trace.
C:\Users [Logged-In User]\AppData\Roaming\FortiClient\logs\trace.

 

  1. It shows the certificate error in FortiTCS log:


[2026-02-20 10:47:20.4858779] [fortitcs error] handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority

 

The TLS handshake is failing because the CA Certificate Authority that signed the PAM server's certificate is not present in the local trust store of the connecting endpoint.

  1. To fix the issue, change the value of 'disallow_invalid_server_certificate' to 0 on the FortiClient EMS side:
  1. Go to Endpoint profiles -> ZTNA destinations.
  2. Go to XML.
  3. Select Edit.
  4. Set <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>.
Terms & ConditionsAccessibility statement