Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Created on ‎03-12-2021 09:47 AM

Cannot connect to AD LDAPS

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 

 

23581
0 Kudos
26 REPLIES 26
orech
New Contributor

Created on ‎05-27-2022 04:21 AM Edited on ‎05-27-2022 04:25 AM

You probably use IP address of LDAP server. Try to use DNS name of LDAP server instead of IP address. This was my case but I didn't read carefully "name is resolved by FQDN from Fortigate". 

2982
FG_MS
New Contributor
In response to orech

Created on ‎09-12-2022 01:54 AM

In my case this helped. I had exactly the same porblem. I changed the IP to FQDN and it works.

 

2147
0 Kudos
warshad
Staff
Staff

Created on ‎05-29-2022 04:22 PM

Hi Tutek,

 

Please make sure if you receiving any traffic at Fortigate interface. You can test it in a different way.

 

Does the ping work?

If not, run a sniffer as follows:

diag sniffer packet any 'host <LDAP-IP>' 4 0 a

It will show you, if there is traffic, on which interface this is leaving and what traffic this might be. ICMP should at least leave the FortiGate (and hopefully getting a response as well).

If you are sure which interface, the traffic must exit:

diag sniffer packet <interface> 4 0 a

Then leave this running for some time. You might see arp requests for the IP that are not getting responses.

 

 

Waqas Arshad
Fortinet
2478
0 Kudos
ahmadswa
New Contributor II

Created on ‎07-03-2022 03:12 AM

Hi All,

 

i am facing the same issue, has anyone figured it out?

 

 

2372
0 Kudos
warshad
Staff
Staff

Created on ‎07-03-2022 06:33 AM

Hi,

 

Do you see any traffic at Fortigate interface? Please run siniffer as follows:

diag sniffer packet any 'host <LDAP-IP>' 4 0 a

 

Waqas Arshad
Fortinet
2362
0 Kudos
ahmadswa
New Contributor II
In response to warshad

Created on ‎07-03-2022 11:41 PM Edited on ‎07-03-2022 11:48 PM

Hi Wardshad,

 

Thank you for your reply, there is a traffc since i have already connected it by LDAP

only LDAPS is not working properly

i have uploaded the CA Certificate of the Domain Controller on the firewall, Although setting the Certificate option to "Empty" results in "Can't contact LDAP server"

 

find screenshots below

 

Thanks in advance2022-07-04_093748.jpg2022-07-04_093634.jpg2022-07-04_093615.jpg

2022-07-04_094158.jpg

2356
0 Kudos
manitc
New Contributor

Created on ‎10-21-2022 08:08 PM

In my case, the DC was behind a firewall. I had to open ports tcp/636 and 3269. 

2004
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.