Hi,
I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,
from any windows PC using ldap.exe I have secure connection to DC on port 636.
Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Well, every server would be behind firewall, at least its own one!
I could never get the firmware 7 to connect on 636 SSL, only 389 insecure works
Anybody any more useful ideas?
Start TLS extended request
LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
Multiple SSL certificates
Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
Pre-SP3 SSL certificate caching issue
If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate
[/ul]on port 3269 I have also error when connecting.
and connection from ldp.exe program, is successful, give me info that domain controller accept SSL connection:
If you're using "samaccountname" try changing Bind Type to "Regular" and then specifying a Username for a domain user account (e.g. domain user "fortigate_ldap" - doesn't have to be domain admin) in format "CN=fortigate_ldap,OU=....,DC=....,DC=....,DC=...
You can leave the Certificate field blank.
Russ
You mean this way? Still can't connect. I need to check any certificate, I can not set empty one.
Hey there,
don't set a certificate(leave it empty) and then try again.
Regards
sudo apt-get-rekt
Please tell me why when I select Ca_Certificate on my LDAPS connection I have this error:
My uploaded CA_Certificates are wrong?
Can you run a capture to confirm that the tcp/636 packets are being issued by the Fortigate and are being received by the domain controller? This could be done either by installing wireshark on the DC or possibly by running a packet capture directly on the firewall itself
Hi all
we're experiencing the same issue.
Internal CA microsoft. CA Certificate imported into Fortigate. Configured LDAPS as per KB with port 636 and CA certificate.
Got the error Cannot connect to ldap server.
Has anyone found a solution?
Hi,
Via CLI, you can try to disable the parameter "server-identity-check" in LDAP configuration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1070 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.