Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Created on ‎03-12-2021 09:47 AM

Cannot connect to AD LDAPS

Hi,

I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,

from any windows PC using ldap.exe I have secure connection to DC on port 636.

Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 

 

27928
0 Kudos
26 REPLIES 26
scerazy
New Contributor III
In response to Magion

Created on ‎03-02-2023 01:21 AM

Well, every server would be behind firewall, at least its own one!

I could never get the firmware 7 to connect on 636 SSL, only 389 insecure works

Anybody any more useful ideas?

4081
0 Kudos
marchand
New Contributor III
In response to Tutek_OLD

Created on ‎03-13-2021 01:36 AM

 

You already checked that, I guess :

 

Possible issues

[ul]

  • Start TLS extended request

    LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.

  • Multiple SSL certificates

    Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.

  • Pre-SP3 SSL certificate caching issue

    If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate

    [/ul]
    • 7622
    0 Kudos
    Tutek_OLD
    New Contributor
    In response to marchand

    Created on ‎03-13-2021 01:41 AM

    on port 3269 I have also error when connecting.

     

    and connection from ldp.exe program, is successful, give me info that domain controller accept SSL connection:

    7622
    0 Kudos
    TecnetRuss
    Contributor
    In response to Tutek_OLD

    Created on ‎03-13-2021 04:35 PM

    If you're using "samaccountname" try changing Bind Type to "Regular" and then specifying a Username for a domain user account (e.g. domain user "fortigate_ldap" - doesn't have to be domain admin) in format "CN=fortigate_ldap,OU=....,DC=....,DC=....,DC=...

     

    You can leave the Certificate field blank.

     

    Russ

    7622
    0 Kudos
    Tutek_OLD
    New Contributor
    In response to TecnetRuss

    Created on ‎03-14-2021 11:30 PM

    You mean this way? Still can't connect. I need to check any certificate, I can not set empty one.

     

    7622
    0 Kudos
    Hosemacht
    Contributor II
    In response to Tutek_OLD

    Created on ‎03-15-2021 12:10 AM

    Hey there,

     

    don't set a certificate(leave it empty) and then try again.

     

    Regards

    sudo apt-get-rekt

    sudo apt-get-rekt
    7622
    0 Kudos
    Tutek_OLD
    New Contributor
    In response to Hosemacht

    Created on ‎03-15-2021 11:24 PM

    Please tell me why when I select Ca_Certificate on my LDAPS connection I have this error:

    My uploaded CA_Certificates are wrong?

    7622
    0 Kudos
    TR
    New Contributor
    In response to Tutek_OLD

    Created on ‎04-20-2021 03:29 AM

    Can you run a capture to confirm that the tcp/636 packets are being issued by the Fortigate and are being received by the domain controller?  This could be done either by installing wireshark on the DC or possibly by running a packet capture directly on the firewall itself

    7622
    0 Kudos
    sc2111
    New Contributor
    In response to TR

    Created on ‎07-07-2021 03:49 AM

    Hi all

    we're experiencing the same issue.

    Internal CA microsoft. CA Certificate imported into Fortigate. Configured LDAPS as per KB with port 636 and CA certificate.

    Got the error Cannot connect to ldap server.

    Has anyone found a solution?

     

    7622
    0 Kudos
    clicerioneto
    New Contributor

    Created on ‎07-13-2021 12:05 PM

    Hi,

     

    Via CLI, you can try to disable the parameter "server-identity-check" in LDAP configuration.

    7622
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.