| Description | This article describes that after upgrading FortiGate firmware to version 7.4.4 (Feature) it is not possible to authenticate using an LDAP remote user with the User Principal Name attribute. |
| Scope | FortiOS 7.4.4. |
| Solution |
When a remote user tries to authenticate using his 'User Principal Name' attribute (i.e. name@contoso.com), for instance with SSL VPN, it will fail to connect. The following remote LDAP server uses 'userprincipalname' as the Common Name identifier (Technical-Tip-How-to-use-user-domain-on-LDAP).
Run the following debugging commands to gather additional information:
diagnose debug reset diagnose debug application fnbamd -1 diagnose debug enable
Additionally, the command below can be used to test the authentication (change <LDAP_SERVER_NAME>, <USERNAME> and <PASSWORD> accordingly with the user setup):
diagnose test authserver ldap <LDAP_SERVER_NAME> <USERNAME> <PASSWORD>
After reproducing the authentification, on the real-time debugs output FortiGate receives an auth request for the user 'thisisaverylongnameadmin@fortiad.lab' [36 characters]:
[1738] handle_req-Rcvd auth req 8800496730118 for thisisaverylongnameadmin@fortiad.lab in opt=00200421 prot=9 svc=5
However, when FortiGate is searching for LDAP user 'thisisaverylongnameadmin@fortiad.lab', the filter used for 'userprincipalname'9 will only use the first 35 characters 'thisisaverylongnameadmin@fortiad.la' and removes the last character 'b':
[888] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=lab' filter:userprincipalname=thisisaverylongnameadmin@fortiad.la
Consequently, the authentication will fail due to no identical user being found.
[900] __ldap_next_state-No DN is found.
diagnose debug reset
Workaround:
This limitation is not present in FortiOS 7.2+ or 7.4.3 and also for future releases 7.6.0. |
