Troubleshooting Tip: LDAP authentication failure using MFA even with the right user and password on SSL VPN web access

ManoelMartins · ‎06-29-2025

Description This article describes the behavior related to the LDAP authentication failure using the FortiToken as MFA, even if the user and password are correct.

Scope

FortiGate up to v7.6.2, SSL VPN web access, FortiToken, LDAP user added on the FortiGate (Not FSSO).

Solution

After running the following CLI command:

diagnose debug reset
diagnose debug console timestamp enable 
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

When it works as expected, there is a line:

fam_auth_proc_resp:1369 fnbam_auth_update_result return: 0 (success)

When the issue happens and there is a line:

fam_auth_proc_resp:1369 fnbam_auth_update_result return: 1 (invalue username/password)

But the credentials are unquestionable, it is required to check the account on the Active Directory, because the FortiGate does not handle the account management, like password expiration.

A recommendation is to reset the password and uncheck the option for the user to change the password on the next logon, if it is the case of a password issue on the account.

Related article:

Troubleshooting Tip: FortiGate LDAP authentication errors

Troubleshooting Tip: LDAP authentication failure using MFA even with the right user and password on SSL VPN web access

You are leaving our website