Hello,
I have problems to authenticate AD users in a newly installed Forticlient (Win11) connected to FortiClient EMS cloud 7.2.4.
In EMS cloud the logfile reads:
EMS Service
Registration attempt by Endpoint [] was denied due to LDAP authentication failure for user "user.name". Server: xx-xxxxx.local, Reason: Authentication error
I do not understand, why the Endpoint is specified as empty name " []" in the logfile. Because it is a Domainmember PC which is listed under "Endpoints -> Domains -> <xx-xxxxx>
Is there an opportunity in EMS cloud to debug that problem? Loglevel is already set to debug but the debug logs which I generated did not show why there is an authentication problem.
The following part has been edited on 2024/04/18:
The connection between EMS cloud and the FortiClientEMSADConnector on premise worked once. I could see the AD devices, but not the users. This worked for some days. But I was still not able to login to Forticlient 7.2.4 neither with invitation code nor with my Domain logon credentials to get a profile.
When I tried to expand the OU of the Domain in Forticloud EMS it now runs into a timeout.
Although I noticed that ADS connector in Forticlient EMS cloud seems to run without problems (Green symbol).
But the logfile of the FortiClientEMSADConnector on premise reads (I translated the error messages):
2024-04-18T00:10:55.647+0200 ERROR connector/adconnector_service.go:313 error on consuming streams EC6YYY8Y-8YYA-YCYE-BYYY6-YYYYYYY795::default::6YYY22YY-3YYE-4YY7-YBY1-9YYY54YYAY5::stream: error reading full buffer: read tcp 172.16.2.20:64087->123.456.789.123:443: wsarecv: A connection attempt failed because the remote site did not respond properly after a certain period of time, or the connection established was incorrect because the connected host did not respond.
2024-04-18T00:10:55.938+0200 INFO connector/sync_hdlr.go:129 [site:default][host:172.16.2.20]: Starting enumeration of DC=xx-xxxxx,DC=local (LDAP ID 1)
2024-04-18T00:10:56.097+0200 INFO connector/sync_hdlr.go:153 [site:default][host:172.16.2.20]: Handle domain sync request with sync OUs [OU=UNITS,OU=Berlin,DC=xx-xxxxx,DC=local OU=Notebook,OU=COMPUTER,OU=Berlin,DC=xx-xxxxx,DC=local OU=Server,OU=COMPUTER,OU=Berlin,DC=xx-xxxxx,DC=local]
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:339 [site:default][host:172.16.2.20]: Enumerated Groups: total: 10, add: 0, update: 0, delete: 0
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:340 [site:default][host:172.16.2.20]: Enumerated AdItems: total: 23, add: 0, update: 0, delete: 0
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:349 [site:default][host:172.16.2.20]: Enumerated Users: total: 21, add: 0, update: 0, delete: 0
I am a little desparate because Support is "researching" the error since 2024/04/02 and the only valuable response I had was "..suspecting an internal bug 0987990 and bug 0870207. We will research on it.." But that was 6 days ago and in between I got messages like "Thank You for Your patience."
If I were researching a problem more than 14 days I bet I would have found a solution for a customer.
best regards
Martin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Martin,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Martin,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hello Martin,
Here the answer from one of our expert:
"
1. Is the endpoint joined to Azure AD?
2. Please ask customer to review permissions assigned when integrating FortiClient EMS with Azure AD:
https://docs.fortinet.com/document/forticlient/7.2.0/new-features/792170/entra-id-integration-7-2-1 (To add Microsoft Graph API application permissions required for searching user groups::(
Regards,
Anthony
Hello Anthony,
no, this is a on-premise AD.
best regards
Martin Haneke
Hello Martin,
Thank you, I will forward your answer to our experts.
Regards,
@AEK @Toshi_Esumi , Do you have maybe an idea for helping Martin?
Thanks a lot in advance,
Regards,
Hello
I think it matches this known issue.
997697 | EMS denies registration attempt by endpoint due to LDAP authentication failure. |
Ref: https://docs.fortinet.com/document/forticlient/7.2.4/ems-release-notes/310815/known-issues
Last time I deployed EMS was 2 years ago so I don't remember well, but basically you should be able to use another registration method till the bug is fixed in future patch.
Hello @AEK and @Anthony_E ,
thank You for Your reply. But I attemped to onboard using invitation code as well as AD logon credentials. Is there another method to onboard clients which I overlooked?
best regards
Martin
Thanks a lot Abdelkrim!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.