Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
VinayHM
Staff
Staff

Created on ‎01-29-2025 02:29 AM

Article Id 373366

Technical Tip: Reason why FortiAuthenticator is not syncing with LDAP server

Description This article describes the reason why FortiAuthenticator is not syncing with the LDAP server.
Scope FortiAuthenticator.
Solution

This issue is from the LDAP server as the bind response asks for an integrity check from the LDAP server.

 

Logs from FortiAuthenticator:

 

Failed to sync (rule: Forti_Auth_User_SYNC) with example.noc : Unable to query remote LDAP server example.noc (10.x.x.x) for users to sync (ru le Forti_Auth_User_SYNC): Idap_simple_bind_s faile d: Strong(er) authentication required 00002028: Lda pErr: DSID-0C09032F, comment: The server requires s binds to turn on integrity checking if SSL TLS are not already active on the connection, data 0, v4563

 

fac.png

 

From the Packet captures on FortiAuthenticator.

 

Bind request:


Lightweight Directory Access Protocol
LDAPMessage bindRequest(1) "abc@example.noc" simple
messageID: 1
protocolOp: bindRequest (0)
bindRequest
version: 3
name: abc@example.noc
authentication: simple (0)
simple: Password
[Response In: 280]

 

Bind response:


Lightweight Directory Access Protocol
LDAPMessage bindResponse(1) strongAuthRequired (00002028: LdapErr: DSID-0C09032F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563)  <-----
messageID: 1
protocolOp: bindResponse (1)
bindResponse
resultCode: strongAuthRequired (8)  <------
matchedDN: <MISSING>
errorMessage: 00002028: LdapErr: DSID-0C09032F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563
[Response To: 279]
[Time: 0.002378000 seconds]

 

Cause:

A non-default security setting on the LDAP server that enforces all LDAP authentication to be secured with SSL.
This policy on the domain controller is: 'Domain controller: LDAP server signing requirements' and if set to 'Require signing' connections will fail if not configured to use SSL.

 

If this policy is configured on the domain controller in a Windows Domain, a non-secure LDAP authentication will fail.
713
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.