Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Cannot connect to AD LDAPS

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 

 

26 REPLIES 26
scerazy
New Contributor III

Well, every server would be behind firewall, at least its own one!

I could never get the firmware 7 to connect on 636 SSL, only 389 insecure works

Anybody any more useful ideas?

marchand
New Contributor III

 

You already checked that, I guess :

 

Possible issues

[ul]
  • Start TLS extended request

    LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

  • Multiple SSL certificates

    Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.

  • Pre-SP3 SSL certificate caching issue

    If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate

    [/ul]
  • Tutek_OLD

    on port 3269 I have also error when connecting.

     

    and connection from ldp.exe program, is successful, give me info that domain controller accept SSL connection:

    TecnetRuss

    If you're using "samaccountname" try changing Bind Type to "Regular" and then specifying a Username for a domain user account (e.g. domain user "fortigate_ldap" - doesn't have to be domain admin) in format "CN=fortigate_ldap,OU=....,DC=....,DC=....,DC=...

     

    You can leave the Certificate field blank.

     

    Russ

    Tutek_OLD

    You mean this way? Still can't connect. I need to check any certificate, I can not set empty one.

     

    Hosemacht

    Hey there,

     

    don't set a certificate(leave it empty) and then try again.

     

    Regards

    sudo apt-get-rekt

    sudo apt-get-rekt
    Tutek_OLD

    Please tell me why when I select Ca_Certificate on my LDAPS connection I have this error:

    My uploaded CA_Certificates are wrong?

    TR
    New Contributor

    Can you run a capture to confirm that the tcp/636 packets are being issued by the Fortigate and are being received by the domain controller?  This could be done either by installing wireshark on the DC or possibly by running a packet capture directly on the firewall itself

    sc2111
    New Contributor

    Hi all

    we're experiencing the same issue.

    Internal CA microsoft. CA Certificate imported into Fortigate. Configured LDAPS as per KB with port 636 and CA certificate.

    Got the error Cannot connect to ldap server.

    Has anyone found a solution?

     

    clicerioneto
    New Contributor

    Hi,

     

    Via CLI, you can try to disable the parameter "server-identity-check" in LDAP configuration.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors