Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff
Staff

Created on ‎05-29-2024 09:38 PM Edited on ‎02-23-2025 10:11 PM By Community Manager

Article Id 318021

Technical Tip: LDAPS connections no longer work after update to v7.4.4

Description This article describes the changes in LDAPS authentication behavior introduced in v7.4.4 & v.7.4.5.
Scope FortiGate v7.4.4 and above.
Solution

After upgrading to v7.4.4 and above, attempts to authenticate using LDAPS are unsuccessful. The issue can be confirmed by disabling 'Secure Connection' under User & Authentication -> LDAP Servers if it works after disabling this  then it is LDAPS authentication making the problem. This issue can be also confirmed by running a packet sniffer for the LDAPS server's IP address and executing the debug commands mentioned below:

 

di de application fnbamd -1
di de console time enable
di de en ​

 

 

To stop the debug, run the following commands:

 

   diagnose debug disable

   diagnose debug reset

 

To start the sniffer, navigate to Network -> Diagnostics and select 'New Packet Capture'. 

 

LDAPS-1.png


The packet sniffer can be stopped after a failed authentication attempt and saved to the local machine.  From the debug command logs, FortiGate fails to validate the server certificate:


LDAPS-2.png
Using the Wireshark tool, the saved sniffer file can be viewed, but FortiGate (10.21.7.38) fails to validate the server certificate.


LDAPS-3.png

 

FortiOS 7.4.4 enhances the security standards for LDAPS by requiring that the server certificate be trusted by FortiOS during the TLS handshake. To comply with this requirement, CA certificate of the LDAP server must be imported into the FortiGate.  

In this example, the LDAP Servers (10.21.0.100) certificate is issued by the CA 'WIN-LT4LK9KDT21-CA'.  This CA certificate 'WIN-LT4LK9KDT21-CA' must be imported into FortiGate. 

LDAPS-4.png

 

Import the CA certificate by following the steps outlined below:

  1. Enable 'Certificates' options in GUI:


LDAPS-5.png

 

  1. Navigate to System -> Certificates, select 'Create/Import' and select 'CA Certificate'.

 

LDAPS-6.png

 

  1. Select 'File' and upload the CA Certificate:


LDAPS-7.png
It is possible to verify if the LDAP authentication is working by following these steps: Navigate to User & Authentication -> LDAP Servers, edit the LDAPS server, and select 'Test User Credentials'. Provide the User credentials and select 'Test'.   

LDAPS-8.png

 

LDAPS-9.png

 

To achieve a connection with server port 389: after upgrading to v7.4.4, disable certificate inspection on the LDAP server.

 

To export a CA certificate from the LDAP server, refer to the following documents for step-by-step instructions:

Configuring LDAP over SSL with Windows Active Directory | FortiGate / FortiOS 5.4.0 | Fortinet Docum...

Technical Tip: How to export root CA from Certificate Authority Server and import to FortiGate
6309
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.