Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhaneke
Contributor

EMS cloud: Registration attempt by Endpoint [] was denied due to LDAP authentication failed

Hello,

I have problems to authenticate AD users in a newly installed Forticlient (Win11) connected to FortiClient EMS cloud 7.2.4.

 

In EMS cloud the logfile reads:

EMS Service
Registration attempt by Endpoint [] was denied due to LDAP authentication failure for user "user.name". Server: xx-xxxxx.local, Reason: Authentication error

 

I do not understand, why the Endpoint is specified as empty name " []" in the logfile. Because it is a Domainmember PC which is listed under "Endpoints -> Domains -> <xx-xxxxx>

 

Is there an opportunity in EMS cloud to debug that problem? Loglevel is already set to debug but the debug logs which I generated did not show why there is an authentication problem.

 

The following part has been edited on 2024/04/18:

The connection between EMS cloud and the FortiClientEMSADConnector on premise worked once. I could see the AD devices, but not the users. This worked for some days. But I was still not able to login to Forticlient 7.2.4 neither with invitation code nor with my Domain logon credentials to get a profile.

 

When I tried to expand the OU of the Domain in Forticloud EMS it now runs into a timeout.

Although I noticed that ADS connector in Forticlient EMS cloud seems to run without problems (Green symbol).

 

But the logfile of the FortiClientEMSADConnector on premise reads (I translated the error messages):

 

2024-04-18T00:10:55.647+0200 ERROR connector/adconnector_service.go:313 error on consuming streams EC6YYY8Y-8YYA-YCYE-BYYY6-YYYYYYY795::default::6YYY22YY-3YYE-4YY7-YBY1-9YYY54YYAY5::stream: error reading full buffer: read tcp 172.16.2.20:64087->123.456.789.123:443: wsarecv: A connection attempt failed because the remote site did not respond properly after a certain period of time, or the connection established was incorrect because the connected host did not respond.
2024-04-18T00:10:55.938+0200 INFO connector/sync_hdlr.go:129 [site:default][host:172.16.2.20]: Starting enumeration of DC=xx-xxxxx,DC=local (LDAP ID 1)
2024-04-18T00:10:56.097+0200 INFO connector/sync_hdlr.go:153 [site:default][host:172.16.2.20]: Handle domain sync request with sync OUs [OU=UNITS,OU=Berlin,DC=xx-xxxxx,DC=local OU=Notebook,OU=COMPUTER,OU=Berlin,DC=xx-xxxxx,DC=local OU=Server,OU=COMPUTER,OU=Berlin,DC=xx-xxxxx,DC=local]
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:339 [site:default][host:172.16.2.20]: Enumerated Groups: total: 10, add: 0, update: 0, delete: 0
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:340 [site:default][host:172.16.2.20]: Enumerated AdItems: total: 23, add: 0, update: 0, delete: 0
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:349 [site:default][host:172.16.2.20]: Enumerated Users: total: 21, add: 0, update: 0, delete: 0

 

I am a little desparate because Support is "researching" the error since 2024/04/02 and the only valuable response I had was "..suspecting an internal bug 0987990 and bug 0870207. We will research on it.." But that was 6 days ago and in between I got messages like "Thank You for Your patience."

If I were researching a problem more than 14 days I bet I would have found a solution for a customer.

 

best regards

Martin

 

best regards
Martin
best regardsMartin
10 REPLIES 10
Anthony_E
Community Manager
Community Manager

Hello Martin,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Martin,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Martin,

 

Here the answer from one of our expert:

 

"

1. Is the endpoint joined to Azure AD?

 

2. Please ask customer to review permissions assigned when integrating FortiClient EMS with Azure AD:

https://docs.fortinet.com/document/forticlient/7.2.0/new-features/792170/entra-id-integration-7-2-1 (To add Microsoft Graph API application permissions required for searching user groups::(

 

Regards,

Anthony

Anthony-Fortinet Community Team.
mhaneke

Hello Anthony,

 

no, this is a on-premise AD.

 

best regards

Martin Haneke

 

best regards
Martin
best regardsMartin
Anthony_E
Community Manager
Community Manager

Hello Martin,

 

Thank you, I will forward your answer to our experts.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

@AEK @Toshi_Esumi , Do you have maybe an idea for helping Martin?

 

Thanks a lot in advance,

Regards,

Anthony-Fortinet Community Team.
AEK
SuperUser
SuperUser

Hello

I think it matches this known issue.

997697EMS denies registration attempt by endpoint due to LDAP authentication failure.

 

Ref: https://docs.fortinet.com/document/forticlient/7.2.4/ems-release-notes/310815/known-issues

 

Last time I deployed EMS was 2 years ago so I don't remember well, but basically you should be able to use another registration method till the bug is fixed in future patch.

AEK
AEK
mhaneke

Hello @AEK and @Anthony_E ,

 

thank You for Your reply. But I attemped to onboard using invitation code as well as AD logon credentials. Is there another method to onboard clients which I overlooked?

 

best regards

Martin

best regards
Martin
best regardsMartin
Anthony_E
Community Manager
Community Manager

Thanks a lot Abdelkrim!

Anthony-Fortinet Community Team.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors