FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 243530

This article describes how to resolve these two scenarios with SSL VPN in FortiGate.

- A new domain account with the following options enabled: 'User must change password at first logon'.


- The password of any existing domain user account is expired.


In any case, end users might not be available on the network to change the passwords or could be located on a different site or at home and SSL VPN is the only option to allow them to change the LDAP password. 


In this article, it is assumed that at least the following settings are already configured:

- SSL VPN configurations in FortiGate.

- Active Directory Domain controllers are configured and reachable to FortiGate.

- Certificate Authority is already configured.


- Windows Active Directory Domain Controllers.

- FortiGate.

- FortiClient or VPN access via a web browser


The first step is to import the CA certificate into FortiGate.


- Login to FortiGate, expand System -> Certificates.

' If the certificates option is not visible, then first goto System -> Feature visibility -> under Additional Features toggle Certificates to show certificates option'.




- Select the CA certificate and select 'OK'. 
'If there is an Intermediate or sub ordinate CAs as well, then add all CAs to complete the chain'.




- The CA will be listed under 'Remote CA Certificate'.




- Optional step: Select the recently imported certificate and select 'View Details'. This will show the details of the Certificate.




On the right-hand side, scroll down and it will show some more details about the certificate. 




- Next Step is to import the certificate, which is assigned to Domain Controller. It is necessary to import this certificate with a Private key. Some important points, while importing domain controller certificates in FortiGate.


- Private key of the certificate will be imported as well in FortiGate.

- The Extended key usage of the certificate should include 'Server Authentication Extension'.

- CN of the certificate, should include 'Fully qualified domain name'  of Domain Controller.

- Ensure that port 636 is opened from FortiGate to the domain controller. If there are multiple firewalls in between then, it is necessary to enable it on all firewalls and might also need to enable it on Windows Firewall on the domain controller.


- To check on DC, if the server is listening on port 636. Open PowerShell and type this command.


- tnc -port 636.




As a reference, see the DC certificate that will be imported into FortiGate.





- So now, this certificate will be added into FortiGate.
Go to System -Certificates, select 'Import' and select 'Local Certificate'




- Select 'PKCS#12 Certificate', select 'Upload' and choose the certificate and select 'Open'.




- As the certificate has a private key, enter the password that was entered when the certificate was exported, and select 'OK'.

Optionally, set the name that the certificate will be shown in the certificates list on FortiGate.




- Once the DC certificate is imported, it will be shown under 'Local Certificate' in the FortiGate certificates list.




- At this point, the certificates related tasks are completed.

Now, configure LDAP configurations in the Firewall to use these certificates for secure communication.


- Go to Users & Authentication, select LDAP Servers, and select 'Create New'. Enter the required information. Some important points to consider:

- By default LDAPs uses port 636.

- In Server IP/Name, use the FQDN of the domain controller.

- CA_Cert_1 is the root CA, that was already imported in FortiGate.



- Ensure that FortiGate should be able to resolve Server Name to the IP address, otherwise the secure connection will be failed.



Check DNS settings under Network and ensure that the right DNS server is added for the name resolution.




- Now, it is necessary to enter two extra commands.

This will allow FortiGate for Passwords renewal and password expiry warning. Go to CLI to add these commands under LDAP settings.




- At this point, the LDAPs configurations are completed. 



- Now we will test these scenarios.

- A new domain account with the following options enabled: 'User must change password at first logon'


- The password of any existing domain user account is expired.

- An account in Domain Controller will be created and set the option 'User must change password at first logon'.










 - Now, it will be tested from the client machine. Open FortiClient and create a VPN profile. 








 On the Firewall side, these debug logs will be visible:


2023-01-21 15:58:34 [1023] fnbamd_ldap_parse_response-ret=49
2023-01-21 15:58:34 [1720] fnband_ldap_run_password_policy_sm-Prompt user to renew expired password.
2023-01-21 15:58:34 [1048] __ldap_rxtx-Change state to 'Admin Binding'
2023-01-21 15:58:34 [981] __ldap_rxtx-state 3(Admin Binding) 



2023-01-21 16:04:22 [4108:root:31f]sslvpn_authenticate_user:167 authenticate user: [vpn_test]
2023-01-21 16:04:22 [1545] destroy_auth_cert_session-id=267025596
2023-01-21 16:04:22 [4108:root:31f]sslvpn_authenticate_user:174 create fam state
2023-01-21 16:04:22 [1000] fnbamd_cert_auth_uninit-req_id=267025596
2023-01-21 16:04:22 [2308] handle_req-Rcvd chal rsp for req 267025594
2023-01-21 16:04:22 [1803], addr
2023-01-21 16:04:22 [981] __ldap_rxtx-state 19(Change password)
2023-01-21 16:04:22 [1084] fnbamd_ldap_send-sending 98 bytes to
2023-01-21 16:04:22 [1096] fnbamd_ldap_send-Request is sent. ID 5
2023-01-21 16:04:22 [981] __ldap_rxtx-state 20(Change password resp)


- It is also possible to test from the client machine Web Browser if it it allowed in VPN configurations.






Related documents: