Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kgeorge
Staff
Staff

Created on ‎12-22-2025 02:14 AM

Article Id 424042

Technical Tip: ZTNA access denied: No ZTNA client certificate was provided

Description

 

This article describes the issue of ZTNA access being denied due to 'No ZTNA client certificate was provided'.

 

No ZTNA Certificate.jpg

Scope

 

FortiGate, FortiClient EMS.

 

Solution

 

To resolve the issue of ZTNA access being denied due to no ZTNA client certificate being provided, follow these steps:

  1. As a first step, user verification should be removed. Once done, unregister the endpoint and then re-register it. Re-verify the user to test if the same issue occurs.
    To remove the verified users, refer to this document: Verified Users.
    To unregister the endpoint, refer to this document: Disconnecting and connecting endpoints.
    To register, add the user back, and to verify, refer to this document - Invitations.

  2. If the issue persists, deregister the endpoint again and mark it as uninstalled.

  3. On the endpoint side, uninstall FortiClient and use FCremove.exe to wipe the system clean. Instructions for this process can be found in the KB article: Technical Tip: How to download FortiClient and FCRemove.exe from support.fortinet.com.

  4. Reboot the system and install the latest stable FortiClient version, and connect it to FortiClient EMS.

  5. Try accessing the Zero Trust Network Access (ZTNA) destination.

  6. If the issue persists, collect the following details from the FortiGate and submit a support ticket to the Fortinet TAC Team for further investigation.

 

diagnose test application fcnacd 7
diagnose test application fcnacd 14
diagnose test application fcnacd 8
diagnose test application fcnacd 15
diagnose test application fcnacd 16
diagnose wad worker policy list
diagnose debug en
diagnose test app wad 2200
diagnose test app wad 101

diagnose wad filter src x.x.x.x <--- Replace x.x.x.x with the Public IP of the Endpoint.
diagnose wad debug enable all

diagnose wad debug enable level verbose
diagnose debug console time en
diagnose debug enable

 

It is recommended to use SSH software like PuTTY to gather the above debugs, as WAD debugs are extensive and not all details can be captured within the built-in CLI Console of FortiGate. Refer to this KB article to know more about using Putty to capture the command outputs: Technical Tip: How to create a log file of a session using PuTTY.

 

Related articles:

Technical Tip: FortiClient ZTNA access denied to certain PCs

Technical Tip: How to create a ticket for Fortinet TAC 

82
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.