| Description | This article describes how to troubleshoot the ‘Hostname does not match name’ error for LDAP over a secure connection in FortiManager/FortiAnalyzer. | ||||||||||||
| Scope |
- FortiManager/FortiAnalyzer. - Windows Active Directory (AD) will be used as the LDAP server and Certificate Authority (CA). |
||||||||||||
| Solution |
Note: - 'Server Name/IP' attribute in LDAP settings must match the LDAP Server Certificate CN field.
Getting the ‘Hostname does not match name’ error message: 1) When facing an LDAPS problem, run the below debug command in CLI:
# diag debug reset # diag debug application auth 8 # diag debug enable
Login using LDAP user from FortiManager/FortiAnalyzer GUI
To disable debug output:
# diag debug disable
2) From the debug log, it shows the ‘TLS: hostname does not match name in peer certificate’ error message.
Sample output (with error):
Wira-kvm13 # diag debug application auth 8 Wira-kvm13 # diag debug enable Wira-kvm13 # 2023-04-17 10:22:19 2023-04-17 10:22:19 s3106: auth request: user=fortinet from=GUI(10.x.x.x) 2023-04-17 10:22:19 s3106: wildcard admin: ldap-user 2023-04-17 10:22:19 s3106: start ldap: ldap-server 2023-04-17 10:22:19 s3106:ldap-server: url: ldaps://10.x.x.x:636 2023-04-17 10:22:19 s3106:ldap-server: binding admin: tadmin 2023-04-17 10:22:19 s3106:ldap-server: TLS: hostname does not match name in peer certificate 2023-04-17 10:22:19 s3106:ldap-server: bind failed: Can't contact LDAP server 2023-04-17 10:22:19 s3106:ldap-server: denied 2023-04-17 10:22:19 s3106: auth result: denied
3) This happens when LDAP server hostname/Computer name is not the same as the LDAP certificate CN value.
Troubleshooting: There are 3 ways to avoid getting the ‘hostname does not match name’ error: 1) From FortiManager/FortiAnalyzer LDAP settings, choose No Certificate.
2) Change the LDAP server Hostname/Computer Name to be the same as the LDAP certificate CN value.
3) Create a new certificate with the following certificate properties and store it in LDAP server:
Note: Make sure to create a new certificate using the same CA Certificate that has been imported into FortiManager/FortiAnalyzer
How to create new certificate using Microsoft CA Web Server Template: Note: Make sure Windows user have permission to create certificates using web-server template
1) Press Windows+R to open Run, type certlm.msc and select OK.
2) This will launch Local Computer certificates. Go to Personal -> Certificates where the root certificate is stored and 'right-click' on the Certificates -> All Tasks -> Request New Certificate.
3) In the Certificate Enrollment page, select Next. 4) In the Select Certificate Enrollment Policy page, select Next.
5) On the Request Certificates page, select ‘More Information…’ under Web server.
Note: The web Server option will not be available if the user does not have permission to enroll using the Web Server template.
6) Create 2 new certificate properties as below and select OK.
7) Select Web Server and select Enroll.
8) New certificate will be enrolled and installed on the LDAP server. 9)Select Finish to close the Certificate Enrollment wizard. 10) Newly generated certificates will be under Certificates - Local Computer -> Personal -> Certificates.
Test Scenario: Login to FortiManager/FortiAnalyzer using LDAP user and verify the result from the debug log.
Sample output:
2023-04-17 11:12:27 s3129: auth request: user=fortinet from=GUI(10.x.x.x)
Related article: |
