Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gpojer
New Contributor

Join AD with Fortigate 40-F, DNS Problems

Hello Community,

 

i am absolute newbie to Fotigate. My network configuration is as follows:

 

The domain controller is located at the NAS1 192.168.17.201, the domain is local.XXXX.it.

 

My DNS settings are as follows: 

 

However, when I ping my domain controller with execute ping local.XXXX.it I get a response from the IP of the host of my website www.XXXX.it (courtesy page). What is wrong here?

 

In fact, I cannot register to the LDAP Server:

 

Anyone can help?

 

Thanks in advance.

 

 

 

 

14 REPLIES 14
gpojer
New Contributor

Can anyone help me?

NeilG

I'm guessing you are following one of the SSO LDAP cookbooks?

 

Cookbook | FortiGate / FortiOS 6.2.7 | Fortinet Documentation Library

 

One thing I noticed - your user name for your LDAP authentication is in the NT/LANMan format of Domain\Username

 

This (for LDAP auth) should be in a distinguished name format.

 

 

This might help:

Windows: How do I find an LDAP User and their Group Base DN for Microsoft Active Directory? – marktu...

 

gpojer
New Contributor

I have tried with cn=administrator, DC=local, DC=XXXX, DC=it and it still does not work.

gpojer
New Contributor

Can anyone help?

brycemd

You will need to setup source IPs for those functions so the fortigate knows what IP to send from.

 

 

In the case of LDAP:

config user ldap

edit 'your ldap name'

set source-ip 'your internal IP'

end

 

This is because the fortigate uses the interface it exits as it's source IP. The problem with this is IPSEC tunnels by default have a IP of 0.0.0.0/0.0.0.0 which means it is not returnable from the other side for fortigate generated traffic. So, you need to identify what IP the traffic should be generated with.

 

For example, you likely cannot exec ping to the other side of the tunnel using even IP addresses let alone DNS. You would need to first 'exec ping-options source internalipoffortigate'.

 

There are many places in fortigate config you need to do this, basically anything fortigate generated going over non routeable interfaces.

 

 

Edit - I may have totally misread this scenario. I saw VPN in your drawing and assumed there were IPSEC tunnels in play. Are you saying it can't contact the LDAP server even on the same network? The easy fix is to change your FortiGates DNS servers to the internal DNS server instead of 1.1.1.1. You don't gain much benefit from split/recursive DNS when everything is at the same site. Also, theres not much point in using the DNS name for the LDAP server connection, just use the IP and it brings DNS out of the equation. 

gpojer
New Contributor

Thanks a lot for the kind answer. However, I have to admit that I have understood only a small fraction of your explanation. As I said, I am a complete beginner with Fortigate.

But let's clear your PS.

 

brycemd wrote:

 

Edit - I may have totally misread this scenario. I saw VPN in your drawing and assumed there were IPSEC tunnels in play. Are you saying it can't contact the LDAP server even on the same network? The easy fix is to change your FortiGates DNS servers to the internal DNS server instead of 1.1.1.1. You don't gain much benefit from split/recursive DNS when everything is at the same site. Also, theres not much point in using the DNS name for the LDAP server connection, just use the IP and it brings DNS out of the equation. 

I am connected to the Firwall through a IPSec Tunnel. I set up the firewall via VPN. My first goal is to make the firewall join the AD. The domain controller local.XXXX.it is set up on my QNAP NAS, 192.168.17.201. The next step is to join the domain via vpn tunnel.

 

Thanks in advance for your clarifications and possible solutions to my problem.

brycemd

I think a lot of what I said doesn't even apply to your scenario, apologies for that.

 

The scenario is a fortigate on the same subnet as a NAS acting as AD. I hope I am correct this time.

 

I would simply change the DHCP scope to give out the NAS IP as DNS instead of using the fortigate as DNS unless theres a reason the NAS can't act as your full DNS server? And, change the LDAP server to use IP, 192.168.17.201, rather than the local.xxx.it DNS name.

 

As far as I can tell, doing those two things and getting rid of the recursive DNS setup will solve your issue.

 

That being said... The LDAP setting does not 'join the fortigate' to the domain. It allows, for example, you to use domain accounts to connect to a VPN.

 

 

gpojer
New Contributor

SO here I am again. Vpn is working. DNS are ok. I have also set up the LDAP server on the Fortigate and imported a domain user into the vpnusers group on the fortigate. So the vpnusers group has now a local user and a domain user.

 

The problem is that I can set up a vpn connection (with forticlient) with the local user credentials but nut with the domain user credentials.

 

Can you help me with troubleshooting?

gpojer
New Contributor

Anyone can help?

 

Labels
Top Kudoed Authors