Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
omorenomartin
Staff
Staff

Created on ‎12-17-2025 03:29 AM Edited on ‎12-17-2025 04:34 AM By Community Manager

Article Id 423525

Technical Tip: SSL VPN prelogon connection with Machine Certificate

Description This article describes the steps to configure the SSL VPN pre-logon connection with a machine certificate.
Scope FortiGate, FortiClient/EMS.
Solution

When using computer certificates on an SSL VPN connection, modify the configuration XML from FortiClient EMS (or manually for standalone deployments or personal VPNs) to set the following parameter:

 

<allow_standard_user_use_system_cert>1</allow_standard_user_use_system_cert>

 

In a standard Windows user session, FortiClient displays and uses client certificates stored in the user certificate store; certificates in the Local Machine store may be visible but cannot be used unless this setting is enabled. Refer to the following articles for background information:
Technical Tip: How to use certificates from Local machine certificate store for SSLVPN connections i...

For pre-logon connections, Windows has access only to computer certificates in the Local Machine store and does not have access to the current user certificate store, because no user session is active.

 

After the XML setting is modified, follow the steps below to allow new computers to be onboarded by using a pre-logon SSLVPN connection.

Note: In this example, certificate authentication for users and computers is separated into different PKI objects, LDAP servers, and user groups. This is because the LDAP attributes used for user accounts and computer accounts differ in many environments. It is possible to use a combined approach if required.

See this article: Technical Tip: SSL VPN with LDAP-integrated Machine and User Certificate for additional context.

 

  1. Create PKI users and reference the LDAP servers.

Configure peer users for user and computer certificates:


config user peer

    edit "CertificateUsers"

        set ca "CA_Windows"
        set mfa-mode subject-identity
        set mfa-server "AD_Users"

    next
    edit "CertificateMachines"

        set ca "CA_Windows"
        set mfa-mode subject-identity
        set mfa-server "AD_Machines"

    next

end


In this example, FortiGate verifies that the client certificate is issued by the certificate authority 'CA_Windows', and then authenticates the certificate against the referenced LDAP server.

 

  1. Configure LDAP instances for user and computer certificates.

An LDAP instance for user certificates can use the default 'account-key-cert-field' and 'account-key-filter' values. For computer certificates, adapt these values so that the correct subject alternative name field and directory attributes are used.


config user ldap

    edit "AD_Users"

        set server "10.7.0.1"
        set cnid "samaccountname"
        set dn "dc=testad,dc=com"
        set type regular
        set username "FortiGateLDAP"
        set password ENC ...

    next
    edit "AD_Machines"

        set server "10.7.0.1"
        set cnid "samaccountname"
        set dn "dc=testad,dc=com"
        set type regular
        set username "FortiGateLDAP"
        set password ENC ...
        set account-key-cert-field dnsname
        set account-key-filter "(&(dNSHostName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

    next

end

 

The 'cnid' value can be adapted to the directory schema in use (for example, 'samaccountname' or 'userPrincipalName'). This is relevant when credentials are supplied in addition to the certificate, or when the LDAP configuration is reused for other services. For certificate-only computer authentication, cnid does not affect the result. See this article: Technical Tip: Using logon name for the LDAP authentication.

 

The 'account-key-cert-field' and 'account-key-filter' options define which certificate field is used to look up the directory object:

  • othername: FortiGate uses the UPN in the certificate’s SAN field to authenticate against LDAP (default).

    set account-key-cert-field othername
    set account-key-filter "(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

  • rfc822name: FortiGate uses the RFC822 Name (mail address) in the certificate’s SAN field to authenticate against LDAP.

    set account-key-cert-field rfc822name
    set account-key-filter "(&(mail=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

  • dnsname: FortiGate uses the DNS name in the certificate’s SAN field to authenticate against LDAP.

    set account-key-cert-field dnsname
    set account-key-filter "(&(dNSHostName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

  • cn: FortiGate uses the CN in the certificate's subject to authenticate against LDAP.

    set account-key-cert-field cn
    set account-key-filter "(&(cn=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"


By default, FortiGate filters on the userPrincipalName attribute with the following expression:

 

(&(userPrincipalName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))).

 

The first part matches the userPrincipalName attribute, and the second part filters out disabled or locked accounts by inspecting the UserAccountControl flag.

To match the othername field to a different attribute (for example, name), use:

 

set account-key-processing strip
set account-key-upn-san othername
set account-key-filter "(&(name=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

 

The 'account-key-processing strip' option strips the domain portion from the othername value before performing the LDAP lookup.

 

  1. Create user groups for users and computers.

Reference the PKI users and LDAP servers in user groups:


config user group

    edit "GR_Users"

        set member "CertificateUsers" "AD_Users"

            config match

                edit 1

                    set server-name "AD_Users"
                    set group-name "CN=Domain Users,CN=Users,DC=testad,DC=com"

                next

            end

    next

    edit "GR_Machines"

        set member "CertificateMachines" "AD_Machines"

            config match

                edit 1

                    set server-name "AD_Machines"
                    set group-name "CN=Domain Computers,CN=Users,DC=testad,DC=com"

                next

            end

    next

end

 

In this example, one group is used for user certificates and another group for computer certificates, each mapped to the corresponding domain security group.

 

  1. Complete the SSL VPN configuration.

Configure the standard Secure Sockets Layer Virtual Private Network elements, ensuring that the client certificate requirement is enforced for pre-logon access:

  • Configure the SSL VPN portal.

  • Create a firewall policy that references the portal and the GR_Users or GR_Machines group, as appropriate.

  • Configure the SSL VPN settings and authentication rules with client certificate verification enabled:

 

set client-cert enable

 

179
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.