For demonstrating steps for user verification via EMS invitation code with verification type LDAP created on the testing environment.

For testing user verification via LDAP there are 3 security groups created on AD: TEST1, TEST2, and TEST3.

There is a testing username with user1 which includes as a part of domain users and a member of 3 created security groups.

On the EMS side -> User Management -> Authorized User Groups there is the following configuration.

When trying to connect the specific invitation code from FortiClient.

There is no way to distribute configuration directly via EMS since the telemetry connection is not established.

It is necessary to unlock settings from the FortiClient UI’s left bottom.

From UI under the settings and logging tab telemetry should be included.

When trying to connect via a specific test user called user1, it will prompt us again to authenticate since authentication failed.

In order to troubleshoot further, it is necessary to export diagnostic logs from the About page, once the diagnostic output opened on the directory which is FCDiagData\general\logs\trace\ FortiESNAC_1.log.

There is a clear User Authentication error on the logs.

Why and how?

The main reason this configuration set is not working is all security groups including user1 are not authorized to login into EMS.

How to fix it?

It is necessary to authorize each individual security group which are including user1.

After changing the configuration side results look like same.

User1 successfully registered EMS via verification type LDAP.

Note: This article shows the only way to connect via verification type LDAP on the other hand these troubleshooting methods are also valid for Azure AD verification type and security groups.