Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pabarro
Staff
Staff

Created on ‎02-27-2025 08:04 AM Edited on ‎02-28-2025 08:12 AM By Moderator

Article Id 379387

Troubleshooting Tip: Authentication failures with LDAP users

Description This article describes how to troubleshoot authentication issues with Active Directory users using the LDAP protocol. The message obtained when entering credentials is 'Authentication failure'.
Scope FortiOS.
Solution
  • Validate the LDAP authentication with the following command:

 

diagnose test authserver ldap <ldap_server_name> <username> <password>

 

  • Check the status of the processes by running the following command:

 

Fortigate-A # diag sys top 4 40 10

Run Time:  86 days, 3 hours and 9 minutes

24U, 0N, 4S, 72I, 0WA, 0HI, 0SI, 0ST; 16047T, 9314F

          fnbamd    29949      R      98.5     0.1    7

             wad    31715      S      52.7     0.4    1

             wad    31716      S      37.8     0.4    1

             wad    31717      R      17.4     0.4    0

          httpsd    31696      S       1.4     0.1    6

       ipsengine     9027      S <     0.9     1.0    3

        dnsproxy      267      S       0.9     0.3    3

       ipsengine     9026      S <     0.4     1.0    1
 

  • After identifying the fnbamd process consuming high CPU resources, run the fnbamd debug process as follows:

 

Fortigate-A # diagnose debug application fnbamd -1

Debug messages will be on for 30 minutes.

Fortigate-A # diagnose debug enable

2025-02-11 09:43:52 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:52 failed to send auth_cert request

2025-02-11 09:43:53 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:53 failed to send auth_cert request

2025-02-11 09:43:53 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:53 failed to send auth_cert request

2025-02-11 09:43:53 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:53 failed to send auth_cert request

2025-02-11 09:43:55 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:55 failed to send auth_cert request

2025-02-11 09:43:56 send_request: Error sending errno=11(Resource temporarily unavailable)

2025-02-11 09:43:56 failed to send auth_cert request

2025-02-11 09:43:56 send_request: Error sending errno=11(Resource temporarily unavailable)

 

If the above error appears in the debug, it indicates the certificate authentication failed due to network reachability. In this case, test the connectivity between the FortiOS with sniffer.

 

diagnose sniffer packet any 'host <ldap_server_ip> and port <server_port>' 6 0 1

 

  • If no certificate error appears during packet capture, perform a restart of the fnbamd process with the following:

 

diag sys process pidof fnbamd     <- Verify process ID.
diag sys kill 9 <pidof>           <- Kill process.

 

  • Verify that there is actually a new process ID for fnbamd by running the following command:

 

diag sys top 4 40 10

 

  • Validate the LDAP authentication is working now:

 

diagnose test authserver ldap <ldap_server_name> <username> <password>

 

Example: 

 

diag test authserver ldap AD_LDAP user1 password

 

Note:

Open a ticket with TAC if the problem is not resolved.

 

Related articles:
231
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.