Description

This article explains how to set up Microsoft Entra Domain Services with secure LDAP and connect it to FortiGate. Follow the steps to add a custom domain, configure Entra Domain Services, enable secure LDAP, and import certificates. Command line instructions for FortiGate integration are also provided.

Scope

FortiGate.

Solution

1. Set up a domain by following this article from Microsoft: Add a custom domain.

Note:

When setting up the custom domain, ensure that the TXT or MX records from Azure are added to the managed domain. As shown in the screenshot below, TXT records have been created in the GoDaddy DNS Management.

It is then possible to create and configure Microsoft Entra Domain Services. Follow this guide for the full setup: Create a Microsoft Entra Domain Services instance

2. Enable and configure the secure LDAP features in Microsoft Entra Domain Services: Configure secure LDAP.
3. Create a server certificate following the Microsoft secure LDAP guide. Note the CA certificate(s) used to sign the server certificate and export these as remote certificates (without key information).
4. Import the CA certificate by going to System -> Certificates -> Create/Import -> CA Certificate -> File, and select 'Upload'.
5. Configure the FortiGate to connect Azure LDAPS. See the following example configuration.

Command Line:

config user ldap
    edit "Azure-LDAP"
        set server "172.190.141.131" <-- FQDN or IP address of LDAP server.
        set server-identity-check disable <-- if IP address is used instead of FQDN, this should be disabled.
        set cnid "mail" <-- mail as Common Name Identifier
        set dn "dc=pitou,dc=online" <-- Entra managed domain
        set type regular
        set username "user1@adcorp.site" <-- Entra administrator with LDAP search permissions.
        set password <password> <-- Entra administrator credential
        set secure ldaps
        set ca-cert "azure-ldaps-ca" <-- LDAPS CA Certificate
        set port 636
    next
end

Note:

FortiOS gives imported Remote CA certificates automatically generated names. To rename the CA certificate, apply the following CLI commands:

config vpn certificate ca
rename CA_Cert_1 to azure-ldaps-ca
end

Notes on certificate trust:

• By default, if the FortiGate LDAP server configuration does not match an existing CN or Subject Alternative Name listed in the certificate, validation will fail. For example, if an IP address is used in FortiGate LDAP client configuration rather than an FQDN, a certificate not listing this IP address will not be trusted by FortiGate. It is recommended to leave this enabled, but if needed, the check can be disabled by configuring 'set server-identity-check disable' in FortiOS LDAP settings.
  
• FortiGate validates certificates based on the full certificate chain. If the certificate is signed by an intermediate CA and the server does not include the full chain as part of the TLS handshake, any missing CA certificates must be imported to FortiGate manually. 
• If there are multiple CA certificates in the trust chain, use the Intermediate CA that issued the server certificate in 'set ca-cert <remote ca>' configuration.