FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ychia
Staff
Staff
Article Id 277689
Description

This article describes how to fix the LDAP connection status 'Strong(er) authentication required'.

 

Under Users & Authentication -> LDAP Servers, 'double-click' on the LDAP server name, and the connection status is shown below:

 

ldap-error.png

 

Based on the logs:


2023-08-14 16:06:10 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2023-08-14 16:06:10 [1009] fnbamd_ldap_parse_response-Error 8(00002028: LdapErr: DS
ID-0C090276, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580) ---> Error sent by LDAP Server
2023-08-14 16:06:10 [1023] fnbamd_ldap_parse_response-ret=8
2023-08-14 16:06:10 [785] __ldap_done-svr 'Forti-LDAP'
2023-08-14 16:06:10 [755] __ldap_destroy-
2023-08-14 16:06:10 [724] __ldap_stop-Conn with 192.168.xxx.xxx destroyed.
2023-08-14 16:06:10 [216] fnbamd_comm_send_result-Sending result 1 (nid 0) for req1885254761, len=2148
2023-08-14 16:06:10 [789] destroy_auth_session-delete session 1885254761
2023-08-14 16:06:10 [755] __ldap_destroy-
authenticate 'it-administrator' against 'Forti-LDAP' failed!

Scope FortiGate.
Solution

It is required to change the value of the parameter 'ldapserverintegrity' on the LDAP server, which must be equal to '1'.

 

  1. Locate and then select the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
  2. 'Right-click' the LDAPServerIntegrity registry entry, and then select 'Modify'.
  3. Change Value data to 1 (default is 2).
  4. Select 'OK'.

Note that this is a change on the domain controller unrelated to FortiGate. This change would fix the error message sent by the domain controller.

 

Since the domain controller in its role as a server sends the message to the FortiGate in its role as a requesting client, the reason for the response the server sends must be looked at on the server, not the FortiGate.

 

Contact the server team handling the domain controller or LDAP server with the recommendation above. There may be a reason that the registry setting is set to what it is. If so, another solution must be found by the team.

 

Capture.PNG

In case of the requirement to have this parameter active, as Microsoft Document advises, it is required to have Secure Connection enabled and LDAPS configurated:

 

image.jpg

 

Related documents:

 

  • Microsoft:

2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)

 

  • How to create LDAPs:

Technical Tip: Configuring LDAP over SSL (LDAPS)