Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Created on ‎03-12-2021 09:47 AM

Cannot connect to AD LDAPS

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 

 

27938
0 Kudos
26 REPLIES 26
marchand
New Contributor III

Created on ‎03-12-2021 11:28 AM

To configure the secure LDAP, you first need to install and configure Certificate Authority on our Domain Controller.

12906
0 Kudos
Tutek_OLD
New Contributor
In response to marchand

Created on ‎03-12-2021 11:40 AM

I don't need local CA, we use public commercial certificate.

12906
0 Kudos
marchand
New Contributor III
In response to Tutek_OLD

Created on ‎03-12-2021 12:19 PM

 

Ok ! I'm using self signed certificates .

 

Then check if your certificat meets the requirements

 

Setup LDAPS (LDAP over SSL)

The Certificate to be used for LDAPS must satisfy the following 3 requirements: • Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1 • The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate . • The host machine account must have access to the private key

 

 

12906
0 Kudos
Tutek_OLD
New Contributor
In response to marchand

Created on ‎03-12-2021 12:59 PM

I have generated public certificate with CN=FQDN of domain server, there is also key extension in certificate with: server auth (OID: 1.3.6.1.5.5.7.3.1), certificate CSR was done on domain controller then imported newly issued certificate into computer account certificates.

Then I have imported also CA_root certificate to Fortigate.

As I told from my pc when use application like lpdadmin I can connect to FQDN of my domain controller on port 636, I then confirm this on domain controller by command netstat -an | find ":636" that connection is established. If I choose IP address on lpadmin instead of FQDN domain controller, then I cannot connect on 636 port, so I think this provide that LDAPS is working correctly.

But on Fortigate side, when connecting using secure connection with 636 port, I cannot connect.

 
12906
0 Kudos
marchand
New Contributor III
In response to Tutek_OLD

Created on ‎03-12-2021 11:13 PM

https://docs.microsoft.co...ertification-authority

12906
0 Kudos
Tutek_OLD
New Contributor
In response to marchand

Created on ‎03-12-2021 11:20 PM

yes I followed exactly this microsoft guide 

12906
0 Kudos
Magion
Contributor
In response to Tutek_OLD

Created on ‎03-13-2021 12:08 AM

Have you tried to connect to ldap instead of ldaps, to validate connection and basic settings?

12906
0 Kudos
Tutek_OLD
New Contributor
In response to Magion

Created on ‎03-13-2021 12:10 AM

yes, connection on 389 port is working 

maybe there are any debug commands that I could use to check if there is any problem with ssl connection?

12906
0 Kudos
Magion
Contributor
In response to Tutek_OLD

Created on ‎03-13-2021 01:33 AM

The screenshot is from my FGT. The certificate is imported as a remote CA certificate (not sure if this is important).

Did you enable access to port 636 for your Fortigate?

Preview file
42 KB
12906
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.