Description
This article describes how to configure LDAPS with FortiAuthenticator, assuming that the domain controller has a valid computer certificate in place.
Scope
FortiAuthenticator.
Solution
In this example, the Microsoft Windows Active Directory has been used as the Certificate Authority,
These tests were performed with Windows Server 2019.
Open Run and write mmc.exe,
Go to File and select Add/Remove Snap-in, choose Certificates, and select 'Add'.
Select the option 'Computer Account'.
Select the option 'Local Computer' and chose 'Finish'.
Select 'Certificates', go to Personal- Certificates, select the certificate which has the same name as the domain controller (computer certificate).
Right-click, select All task and choose 'Export'.
Select the 'No' option, do not export the private key, and DER file format.
Specify the name and select 'Next', specify a filename and chose 'Finish'.
Import this CA certificate on FortiAuthenticator as Trusted CA.
Go to Certificate Management - > Certificate Authorities - > Trusted CA and select Import.
Specify an ID for the certificate and select upload a file to import the certificate previously exported.
Go to Authentication -> Remote Auth.Servers -> LDAP, enable the Secure Connection option and select the correct certificate.
Try to browse to the directory with LDAPS enabled, which should work fine now.
Also, run a packet capture. No readable data should be seen, with only TLS encrypted.
