Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
rbraha
Staff
Staff

Created on ‎09-16-2022 09:44 AM Edited on ‎04-10-2025 08:05 AM By Moderator

Article Id 223993

Technical Tip: LDAPS with FortiAuthenticator

Description

 

This article describes how to configure LDAPS with FortiAuthenticator, assuming that the domain controller has a valid computer certificate in place.

 

Scope

 

FortiAuthenticator.

 

Solution

 

In this example, the Microsoft Windows Active Directory has been used as the Certificate Authority,

These tests were performed with Windows Server 2019.

 

Open Run and write mmc.exe.

 

Go to File and select Add/Remove Snap-in, choose Certificates, and select 'Add'.

 

Aashiq_Z_0-1663345988332.png

 

Aashiq_Z_1-1663346014020.png

 

Select the option 'Computer Account'.

 

Aashiq_Z_2-1663346161327.png

 

Select the option 'Local Computer' and choose 'Finish'.

 

Aashiq_Z_3-1663346205512.png

 

Select 'Certificates', go to Personal- Certificates, and select the certificate which has the same name as the domain controller (computer certificate).

'Right-click', select All tasks, and choose 'Export'.

 

Aashiq_Z_4-1663346265242.png

 

Select the 'No' option, do not export the private key, and DER file format.

 

Aashiq_Z_5-1663346384454.png

 

Specify the name and select 'Next', specify a filename, and choose 'Finish'.

 

Aashiq_Z_6-1663346456154.png

 

Note: If the domain controller does not have a valid computer certificate in place, the following error may appear in the FortiAuthenticator GUI when browsing to the directory with LDAPS enabled: 

 

Query failed: ldap_simple_bind_s failed: Can't contact LDAP server error:0A000086:SSL routines::certificate verify failed (unhandled critical extension)

 

image (21).png

 

 

Import this CA certificate on FortiAuthenticator as a Trusted CA.

Go to Certificate Management -> Certificate Authorities -> Trusted CA and select Import.

Specify an ID for the certificate and select Upload a file to import the certificate previously exported.

 

10png.png

 

Go to Authentication -> Remote Auth.Servers -> LDAP, enable the Secure Connection option, and select the correct certificate.

 

11.png

 

Try to browse to the directory with LDAPS enabled, which should work fine now.

 

13.png

 

Also, run a packet capture. No readable data should be seen, with only TLS encrypted.

 

12.png

 

Note that from version 6.6.2 certificates with SHA1 are no longer supported, if this is added then the LDAP bind will not work, on v6.6.2, the certificate created needs to be on SHA2, refer to the following document: SHA-1 cryptographic operations are no longer supported.

5044
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.