Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
tnesh
Staff
Staff

Created on ‎04-16-2023 11:43 PM Edited on ‎04-17-2023 01:39 AM By Community Manager

Article Id 252622

Troubleshooting Tips: 'Hostname does not match name' error in LDAPS

Description This article describes how to troubleshoot the ‘Hostname does not match name’ error for LDAP over a secure connection in FortiManager/FortiAnalyzer.
Scope

- FortiManager/FortiAnalyzer.

- Windows Active Directory (AD) will be used as the LDAP server and Certificate Authority (CA).
Solution

Note:

- 'Server Name/IP' attribute in LDAP settings must match the LDAP Server Certificate CN field.

 

Getting the ‘Hostname does not match name’ error message:

1) When facing an LDAPS problem, run the below debug command in CLI:

 

# diag debug reset

# diag debug application auth 8

# diag debug enable

 

Login using LDAP user from FortiManager/FortiAnalyzer GUI

 

To disable debug output:

 

# diag debug disable

 

2) From the debug log, it shows the ‘TLS: hostname does not match name in peer certificate’ error message.

 

Sample output (with error):

 

Wira-kvm13 # diag debug application auth 8

Wira-kvm13 # diag debug enable

Wira-kvm13 # 2023-04-17 10:22:19

2023-04-17 10:22:19 s3106: auth request: user=fortinet from=GUI(10.x.x.x)

2023-04-17 10:22:19 s3106: wildcard admin: ldap-user

2023-04-17 10:22:19 s3106:   start ldap: ldap-server

2023-04-17 10:22:19 s3106:ldap-server: url: ldaps://10.x.x.x:636

2023-04-17 10:22:19 s3106:ldap-server: binding admin: tadmin

2023-04-17 10:22:19 s3106:ldap-server:   TLS: hostname does not match name in peer certificate

2023-04-17 10:22:19 s3106:ldap-server:   bind failed: Can't contact LDAP server

2023-04-17 10:22:19 s3106:ldap-server: denied

2023-04-17 10:22:19 s3106: auth result: denied

 

3) This happens when LDAP server hostname/Computer name is not the same as the LDAP certificate CN value.

 

Troubleshooting:

There are 3 ways to avoid getting the ‘hostname does not match name’ error:

1) From FortiManager/FortiAnalyzer LDAP settings, choose No Certificate.

 

tnesh_1-1681700660115.png

 

2) Change the LDAP server Hostname/Computer Name to be the same as the LDAP certificate CN value.

 

3) Create a new certificate with the following certificate properties and store it in LDAP server:

 

Type

Value

Common name

FQDN of the LDAP server

IP address

IP address of the LDAP server

 

Note:

Make sure to create a new certificate using the same CA Certificate that has been imported into FortiManager/FortiAnalyzer

 

How to create new certificate using Microsoft CA Web Server Template:

Note:

Make sure Windows user have permission to create certificates using web-server template

 

1) Press Windows+R to open Run, type certlm.msc and select OK.

 

tnesh_2-1681700660115.png

 

2) This will launch Local Computer certificates. Go to Personal -> Certificates where the root certificate is stored and 'right-click' on the Certificates -> All Tasks -> Request New Certificate.

 

tnesh_3-1681700660117.png

 

3) In the Certificate Enrollment page, select Next.

4) In the Select Certificate Enrollment Policy page, select Next.

 

tnesh_5-1681700660120.png

 

5) On the Request Certificates page, select  ‘More Information…’ under Web server.

 

tnesh_6-1681700660121.png

 

Note:

The web Server option will not be available if the user does not have permission to enroll using the Web Server template.

 

6) Create 2 new certificate properties as below and select OK.

 

Type

Value

Common name

FQDN of the LDAP server

IP address

IP address of the LDAP server

 

cert-properties.png

 

7) Select Web Server and select Enroll.

 

tnesh_8-1681700660123.png

 

8) New certificate will be enrolled and installed on the LDAP server.

9)Select Finish to close the Certificate Enrollment wizard.

10) Newly generated certificates will be under Certificates - Local Computer -> Personal -> Certificates.

 

tnesh_9-1681700660124.png

 

Test Scenario:

Login to FortiManager/FortiAnalyzer using LDAP user and verify the result from the debug log.

 

Sample output:

 

2023-04-17 11:12:27 s3129: auth request: user=fortinet from=GUI(10.x.x.x)
2023-04-17 11:12:27 s3129: wildcard admin: ldap-user
2023-04-17 11:12:27 s3129: start ldap: ldap-server
2023-04-17 11:12:27 s3129:ldap-server: url: ldaps://10.x.x.x:636
2023-04-17 11:12:27 s3129:ldap-server: binding admin: tadmin
2023-04-17 11:12:28 s3129:ldap-server: got result: Success(0)
2023-04-17 11:12:28 s3129:ldap-server: searching users: OU=labgroup,DC=fortilab,DC=com scope=subtree filter=cn=fortinet attrs=1.1
2023-04-17 11:12:28 s3129:ldap-server: got result: Success(0)
2023-04-17 11:12:28 s3129:ldap-server: dn: CN=fortinet,OU=labgroup,DC=fortilab,DC=com
2023-04-17 11:12:28 s3129:ldap-server: binding user: CN=fortinet,OU=labgroup,DC=fortilab,DC=com
2023-04-17 11:12:28 s3129:ldap-server: got result: Success(0)
2023-04-17 11:12:28 s3129:ldap-server: success
2023-04-17 11:12:28 s3129: wildcard admin matched: ldap-user
2023-04-17 11:12:28 s3129: auth result: success

 

Related article:

https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configuring-LDAPS-on-FortiManager-and/t...
2260
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.