Technical Tip: NTLM Authentication failed on FortiProxy due to no route to authentication server

To narrow down this issue, the FortiProxy will show these symptoms : 

1. User Event logs showing auth fail, and the user will show N/A:

2. The connection to the Authentication Server has failed.

To check this via the GUI, go to User & Authentications.

Then select the respective authentication server settings.

In this example, the LDAP server is the authentication server:

It will show Connection status:

Can't contact LDAP server

3. WAD Debug logs will show authenticate result=error.

To capture the WAD authentication debug :

diagnose debug console timestamp enable

diagnose wad debug enable category http

diagnose wad debug enable category auth

diagnose wad debug enable level verbose 

diagnose wad debug display pid enable 

diagnose wad filter src x.x.x.x 

Note: Where x.x.x.x = source client IP address.

To check WAD debug filters: 

diagnose wad filter list
drop unknown sessions: disabled
source ip: 1.1.1.1-1.1.1.1

Enable debugging with: 

diagnose debug enable 

To stop debugging: 

diagnose debug disable

diagnose debug reset 

diagnose wad debug filter clear

Log example: 

[V]2026-01-27 15:30:47.488301 [p:1151][s:50510363][r:50676360] wad_url_fetch_cate2 :1701 host=www.google.com ip=142.250.204.132
[I]2026-01-27 15:30:47.488318 [p:1151][s:50510363][r:50676360] wad_url_cate_dump_req_ctx :319 (fetch-done): req/wfp=1/0 cate: cate=255 webf=255 sslexempt=255
url/ip=0/0 done: bal=0,local/user/cache/ftgd/ia_cache=1/1/1/1/0 matched[url]: block/allow/user=0/0/0 ftgd=0 sub=1 log=0 invalid=0
[I]2026-01-27 15:30:47.488323 [p:1151][s:50510363][r:50676360] wad_url_filter_cancel :750 type=2 data=0x7fc17ea7f048 url_req=0x7fc17f53a8d8 id=0
[I]2026-01-27 15:30:47.488345 [p:1151][s:50510363][r:50676360] wad_http_req_get_user :13195 process=1151 auth-rule=Auth_Rule_OCBCGROUP user=/0/0 ip-based/a
uth-cookie/transact=1/0/0 tp_proxy_auth=0 auth_req=(nil) auth_line=0x7fc17eaae978
[I]2026-01-27 15:30:47.488352 [p:1151][s:50510363][r:50676360] wad_hauth_method_chg_get :1703 method:http-mix->NTLM hdr=NTL
[I]2026-01-27 15:30:47.488358 [p:1151][s:50510363][r:50676360] wad_auth_get_dc_server :267 select server ip:NA
[V]2026-01-27 15:30:47.488360 [p:1151][s:50510363][r:50676360] wad_http_user_auth :12699 1st auth with NTLM, status=auth-service-unavaliable
[I]2026-01-27 15:30:47.488363 [p:1151][s:50510363][r:50676360] wad_hauth_method_chg_get :1703 method:http-mix->NTLM hdr=NTL
[I]2026-01-27 15:30:47.488364 [p:1151][s:50510363][r:50676360] wad_auth_get_dc_server :267 select server ip:NA
[V]2026-01-27 15:30:47.488366 [p:1151][s:50510363][r:50676360] wad_http_user_auth :12699 2nd auth with NTLM, status=auth-service-unavaliable
[I]2026-01-27 15:30:47.488368 [p:1151][s:50510363][r:50676360] wad_http_auth_status_proc :12249 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=error
[V]2026-01-27 15:30:47.488372 [p:1151][s:50510363][r:50676360] wad_http_clt_read_sync :2076 hs=0x7fc17f5415a0 pause=(0/0x0) ret=-1 execute=wad_http_clt_rea
d_req_line
[V]2026-01-27 15:30:47.488404 [p:1151][s:50510363][r:50676360] __wad_hauth_user_node_put :2561 wad_user_node_stats_put (662): putting node(ref=2) 0x7fc17d9b6d
b0
[I]2026-01-27 15:30:47.488408 [p:1151][s:50510363][r:50676360] wad_http_session_free :17043 http cache session 0x7fc17f5415a0 req=0x7fc17ea7f048 close

Solution:

Check the routing settings and make sure there is a correct route for the FortiProxy/FortiGate to initiate the connection to the authentication server. 

In this scenario, the solution was adding a static route to the LDAP server IP via the mgmt interface : 

config router static

    edit 1

        set dst 10.240.1.99 255.255.255.255

        set gateway 10.77.1.77
        set device "mgmt"

    next