Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sharmaj
Staff
Staff

Created on ‎04-05-2022 04:49 AM Edited on ‎01-06-2025 01:27 AM By Moderator

Article Id 208483

Technical Tip: nca_s_fault_access_denied

Description This article describes when users will see the AD connector showing down.
Scope All FortiOS versions.
Solution

Sometimes the AD connector is showing down under external connectors.

Make sure to check all these things before investigating further:

 

  1. Check whether there is reachability with the FSSO agent.
  2. Check whether the firewall rules on the Microsoft AD server are created to allow ports TCP 8000 and UDP 8002.
  3. If these steps do not work, it is possible to encounter this:

 

When the packet captures is captured to see the transaction between the FortiGate and Microsoft AD, some error will appear:

 

nca_s_fault_access_denied being sent from the server:

 

This is generally an issue related to the Microsoft server where the user trying to add the FortiGate to the domain does not have full access.

Refer to this article and give permissions to the user accordingly: Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO) service account.

 

Microsoft reference link regarding user permissions:

net user /domain returns "Access is denied"
9610
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.