FortiAuthenticator provides access management and single sign on.
Article Id 195891


This article describes how to enable active Directory domain authentication on FortiAuthenticator and then, how to monitor it.



  1. Settings.

After create New LDAP remote server on FortiAuthenticator, edit LDAP server and enable Windows Active Directory Domain Authentication.


Go to Authentication -> Remote Auth. Servers -> LDAP -> Edit Remote LDAP Server


  • Select check box 'Radio' button.
  • Kerberos realm name: TAC.LOCAL.
  • Domain NetBIOS name: TAC.
  • FortiAuthenticator NetBIOS name: FortiAuthenticar.
  • Administrator username: Administrator.
  • Administrator password: Password.




  • To Know Kerberos by CMD in Windows Domain Server type: 'echo %userdnsdomain%' -> and identify: 'USERDNSDOMAIN='



  • To Know NetBIOS by CMD in Windows Domain Server type: 'echo %userdomain%' -> and identify: 'USERDOMAIN='



  • To know more information about Windows Sever type: 'set'




  1. Monitoring.

Go to Monitor -> Authentication -> Windows Active Directory Server.



  • It is important to check the Connection status and time synchronization between FortiAuthenticator and Windows active directory server.
  • If the status shows: 'Connection: joined domain, connected' -> This is the correct behavior.
  • If it shows: 'Connection: joined domain, not connected'-> Crosscheck the settings again but also the time synchronization on FortiAuthenticator.
  • Incorrect date or time might cause this to fail.
  • Refer to : Troubleshooting Tip: FortiAuthenticator error: Failed to join Windows AD network: Domain Name


  1. Logs.
  • Go to FortiAuthenticator -> Logging -> Log Access -> Logs.
  • Log Record Detail.



For further information, refer to these related documents:

FortiAuthenticator Administration Guide

FortiAuthenticator LDAP -> Service

Troubleshooting Tip: FortiAuthenticator error: Failed to join Windows AD network: Domain Name