Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmeta
Staff & Editor
Staff & Editor

Created on ‎06-10-2020 02:58 AM Edited on ‎01-21-2026 10:59 PM By Community Manager

Article Id 189972

Technical Tip: Configuring LDAP over SSL (LDAPS)

Description


This article describes how to configure LDAP over SSL with an example scenario. The LDAP traffic is secured by SSL.

 

Scope

 

FortiGate.


Solution


In this scenario, a Microsoft Windows Active Directory (AD) server is used as the Certificate Authority (CA). Certificate services have been added as a role, and the CA certificate is already available for export.

 

Prerequisites. Before proceeding with the steps below, install the Active Directory Certificate Services role as the Certification Authority.

 

To install Active Directory Certificate Services:

  1. Open the Server Manager. In the Server Manager, select Manage -> Add Roles and Features in the top right corner. Select Next until the Server Roles section appears.
  2. Select Active Directory Certificate Services and select Add Features:

 

jiahoong112_0-1671183127461.png

 

  1. Select Next until the Role Services section appears. Select Certification Authority.

     

    jiahoong112_1-1671183198077.png

     

  2. Select Next and finish the installation. After the installation has finished, select Configure Active Directory Certificate Services on the destination server.

     

    jiahoong112_0-1672032680107.png

     

  3. A new window will pop up. Select Next and ensure Certification Authority is checked under Role Services, then select Next.

     

    jiahoong112_1-1672032750305.png

     

  4. Select Enterprise CA. If the Enterprise CA cannot be selected, ensure to be logged in as the Administrator in the AD Domain.

     

    jiahoong112_2-1672032867269.png

     

  5. Continue to select Next until the final screen is reached. The rest of the options can be left on the default. Choose to configure them differently according to the requirements.

     

    jiahoong112_3-1672032984609.png

     

  6. After selecting Configure, the configuration should succeed as such. Select Close when it is done. 

     

    jiahoong112_4-1672033063833.png

     

Follow the steps below to configure LDAPS.

Configure LDAPS on the Microsoft Windows Certificate Authority server:

  1. On the Active Directory server, open the MMC (Microsoft Management Console). Go to File and select Add/Remove Snap-in, then select Certificates and select Add:

 
  1. Select Computer account:

    JeanPhilippe_P_0-1730298992159.png
  2. Select Local computer and select Finish:
     
     
  3. The Certificates section appears on the left-hand side. Expand the tree and go to Personal -> Certificates. Then, select the root certificate. In the intended Purpose column, it shows <All>.  Go to All Tasks and select Export:

 

Server certificate.png
 
Note:
If this certificate is not imported, the error can be encountered when uploading this certificate on FortiGate, about 'This certificate is not a CA certificate. 
 
  1. When the Certificate Export Wizard appears, select Next:
     
     
  2. Do not Export the Private Key:

    JeanPhilippe_P_1-1730299060933.png
  3. Select the DER file format: 

    JeanPhilippe_P_2-1730299183192.png

     


  4. Specify the name of the file and select Next:

    JeanPhilippe_P_3-1730299232264.png

 

  1. Complete the Certificate Export Wizard and select Finish:
 
 
A message to indicate that the wizard process was completed will appear.
 
Note:
The certificate obtained from the AD server must have the LDAP server's IP address in either the Common Name (CN) or Subject Alternative Name (SAN). If the server address is configured as an FQDN, the certificate should have the FQDN in CN or SAN. The server should resolve it to an IP address.
 
Configure LDAPS on the FortiGate:
  1. Import the CA Certificate that was exported in the steps earlier to the FortiGate. To do this, go to System -> Certificates, select Import CA Certificate -> File, and upload the file:
 
 
  1. Create a new 'LDAPS' server in the GUI and select the imported certificate:
     
 
Notes:
  • Before v7.4.4, if no certificate is selected, FortiGate will accept any data from the LDAPS server.
  • After v7.4.4, the CA certificate is required even if not specified in the LDAPS config.
  • See this article: Technical Tip: LDAPS connections no longer work after update to v7.4.4.
  • For lower versions, if a certificate is selected, FortiGate will only accept certificates signed by that CA certificate.
  • This is also applicable if using the STARTTLS protocol as well, when using STARTTLS the LDAP server connectivity on FortiGate 'Test connectivity' shows successful (this is due to the behavior of STARTTLS where initial connection will use unencrypted connection and then it will upgrade to secure one) therefore when the actual user authentication takes place it will still fail due to the reason the CA certificate of the LDAP server is not imported.
 
The fix is to import the CA certificate of the LDAP server into the FortiGate.
 
(Optional) Debugging processes:
Use packet capture and a sniffer to verify the communication between FortiGate and the AD server. After a 3-way handshake, the data transaction between the client and server will be visible:

'Hello Exchange' -> Client Hello -> Server Hello -> Server Hello Done.
 
 
The certificate sent by the LDAPS server can be seen in the packet, labeled as 'Certificate, Client Key Exchange, …'.
 
Unlike regular LDAP over TCP/389, it is not possible to see LDAP queries and replies. However, a non-secure LDAP can be useful for troubleshooting purposes.
 
diagnose sniffer packet any "host 192.168.252.133 and port 636"
interfaces=[any]
filters=[host 192.168.252.133 and port 636]
3.653907 192.168.252.187.11640 -> 192.168.252.133.636: syn 2104591803
3.655022 192.168.252.133.636 -> 192.168.252.187.11640: syn 3985690082 ack 2104591804
3.655066 192.168.252.187.11640 -> 192.168.252.133.636: ack 3985690083
3.655524 192.168.252.187.11640 -> 192.168.252.133.636: psh 2104591804 ack 3985690083
3.656473 192.168.252.133.636 -> 192.168.252.187.11640: 3985690083 ack 2104592128
 

Notes:

  1. From FortiOS v7.2.0 onwards, administrators can configure a FortiGate client certificate in the LDAP server configuration when the FortiGate connects to an LDAPS server that requires client certificate authentication:

 

config user ldap

    edit <ldap_server>

        set client-cert-auth {enable | disable}

        set client-cert <source>

    next

end

 

  1. When Server Identity Check is enabled (optional), FortiGate validates that the LDAP server certificate matches the configured server value:

  • If configured by IP, the certificate must contain the same IP in the SAN.
  • If configured by Name/FQDN, it must match the CN or DNS SAN (ensure DNS resolution; prefer FQDN).
  • If not matched, LDAPS may fail with 'Can't contact LDAP server'.

 

  1. If it is not possible to find the System -> Certificates option in the GUI, it is needed to enable Certificates under Feature Visibility, then select Apply.

 

Related articles: 

Troubleshooting Tip: FortiGate LDAP troubleshooting and debug logs created by fnbamd

Technical Tip: FortiGate is unable to contact the LDAPS server, receives error message 'Can't contac...

Troubleshooting Tip: 'No DN is Found' error during LDAP authentication failure for usernames with do...

Technical Tip: Enable expired password LDAP renewal with Active Directory 

Technical Tip: How to enable password renewal of remote LDAP user through FortiGate 

110133
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.