Skip to main content
EMSQuestion
EMSQuestion
New Member
September 2, 2021
Question

Forticlient SSL VPN with SAML error -7200 at 48%

  • September 2, 2021
  • 6 replies
  • 99147 views

Hi,

 

I have recently setup SAML auth with Azure AD but cant get it to work via Forticlient.  

 

Users can login to the webportal and auth using SSO successfully, its just Forticlient that fails.

 

When users try to connect via Forticlient they are directed to the correct Microsoft Login URL and can successfully auth with their Azure creds(including MFA) but after accepting the MFA prompt Forticlient stops at 48% and shows "Credential or SSLVPN configuration is wrong (-7200)".  

Checking the SSL-VPN Monitor in the Forti shows the user as being connected but only with "Web Connections" instead of "Tunnel Connections"

 

It almost like when authenticating Forticlient cant find the user in a User Group so assigned it to the Web-access portal

 

Running Forticlient 7.0 and firmware 7.0.1 on the Forti

 

There is a post on Reddit about the SLL-VPN certificate key length having to be 2048 but we are using a certificate with a key length of 4096.

 

CONFIG BELOW (using example FQDN)

--------------------------------------------------------

config user saml
 edit "azure-saml"
 set cert "Fortinet"
 set entity-id "https://example-company.com:10443/remote/saml/metadata"
 set single-sign-on-url "https://example-company.com:10443/remote/saml/login"
 set single-logout-url "https://example-company.com:10443/remote/saml/logout"
 set idp-entity-id "https://sts.windows.net/YYY-e027-4bb6-a213-XXX/"
 set idp-single-sign-on-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
 set idp-single-logout-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
 set idp-cert "Azure_SAML"
 set user-name "username"
 set group-name "group"
 next
end

config user group
 edit "SAML_AZ_ALL"
 set member "azure-saml"
 config match
 edit 1
 set server-name "azure-saml"
 set group-name "YYY-a79a-40f0-a2df-XXX" (Object ID of my Azure group)
 next
 end
 next
end
 

    6 replies

    rina5392
    rina5392
    New Member
    September 14, 2021

    Good day, did you figure this out, i have the exact same problem 

      ls_mark
      ls_mark
      New Member
      November 5, 2021

      I also have same issues on Windows FortiClient Only, same user working on MacOS FortiClient.

      simonorch
      simonorch
      Explorer
      November 6, 2021

      If you suspect a group mismatch issue, this recent kb article is really good

       

      https://kb.fortinet.com/k...=1%200%20262768462%27)

       

       

      rvarajao
      rvarajao
      New Member
      December 6, 2022

      hello, did you find the cause for this issue?

      VinayHM
      Staff
      VinayHM
      December 9, 2022

      Please check saml d logs, is there any clock skew error in the logs?

      And please update the complete version of forticlient.

      LucianoCastillo
      LucianoCastillo
      Explorer
      May 3, 2023

      Out of our 3000 users, only 5 have reported experiencing this issue. Any idea ?

      VinayHM
      Staff
      VinayHM
      May 24, 2023

      Hi

       

      can you please check in the sslvpn and fnbamd logs that the user getting matched group?

      LucianoCastillo
      LucianoCastillo
      Explorer
      May 24, 2023

      I have identified the root cause of the problem. The system administrator had created a security group and added certain users to it. However, these users were facing issues while using VPN. Upon investigation, I discovered that the group had too many permissions which were causing conflicts with Forticlient. I promptly requested the system administrator to delete the group to resolve the issue.

       

      This issue can occur in various situations, not just one.

      RMK
      RMK
      New Member
      July 20, 2023

      I have the same problem with Fortios 7.012 + ForticlientEms 6.410. This  combinate causes error "Credential or SSLVPN configuration is wrong (-7200)".Certificate keylength is 4096.  Everything worked fine FortiOS 6.413 + ForticlientEms 6.410. I changed temporarily Saml user ssl-certificate to Fortigate-factor. This solved the problem.

      RMK
      RMK
      New Member
      August 23, 2023

      The final solution was to update all vpn clients. (6.410 -->  to 7.09)

      LucianoCastillo
      LucianoCastillo
      Explorer
      August 23, 2023

      This software has a lot of glitches,  When updating the Forticlient VPN to the latest version, I encountered an issue where it wouldn't save the password. As a result, it kept asking for the username and password every time. But if you already signed in using Version 6.4 it will work, But if you get a new laptop and install the latest version you may have this issue where it asks for a username and password every time you get in.

      PCS1
      PCS1
      New Member
      February 25, 2025

      I know this is a mighty old thread but I recently had this problem and it turns out it was the remote auth timeout.
      config system global
      set remoteauthtimeout 1-300s

      Terms & ConditionsAccessibility statement