Hello,

I have problems to authenticate AD users in a newly installed Forticlient (Win11) connected to FortiClient EMS cloud 7.2.4.

In EMS cloud the logfile reads:

EMS Service
Registration attempt by Endpoint [] was denied due to LDAP authentication failure for user "user.name". Server: xx-xxxxx.local, Reason: Authentication error

I do not understand, why the Endpoint is specified as empty name " []" in the logfile. Because it is a Domainmember PC which is listed under "Endpoints -> Domains -> <xx-xxxxx>

Is there an opportunity in EMS cloud to debug that problem? Loglevel is already set to debug but the debug logs which I generated did not show why there is an authentication problem.

The following part has been edited on 2024/04/18:

The connection between EMS cloud and the FortiClientEMSADConnector on premise worked once. I could see the AD devices, but not the users. This worked for some days. But I was still not able to login to Forticlient 7.2.4 neither with invitation code nor with my Domain logon credentials to get a profile.

When I tried to expand the OU of the Domain in Forticloud EMS it now runs into a timeout.

Although I noticed that ADS connector in Forticlient EMS cloud seems to run without problems (Green symbol).

But the logfile of the FortiClientEMSADConnector on premise reads (I translated the error messages):

2024-04-18T00:10:55.647+0200 ERROR connector/adconnector_service.go:313 error on consuming streams EC6YYY8Y-8YYA-YCYE-BYYY6-YYYYYYY795::default::6YYY22YY-3YYE-4YY7-YBY1-9YYY54YYAY5::stream: error reading full buffer: read tcp 172.16.2.20:64087->123.456.789.123:443: wsarecv: A connection attempt failed because the remote site did not respond properly after a certain period of time, or the connection established was incorrect because the connected host did not respond.
2024-04-18T00:10:55.938+0200 INFO connector/sync_hdlr.go:129 [site:default][host:172.16.2.20]: Starting enumeration of DC=xx-xxxxx,DC=local (LDAP ID 1)
2024-04-18T00:10:56.097+0200 INFO connector/sync_hdlr.go:153 [site:default][host:172.16.2.20]: Handle domain sync request with sync OUs [OU=UNITS,OU=Berlin,DC=xx-xxxxx,DC=local OU=Notebook,OU=COMPUTER,OU=Berlin,DC=xx-xxxxx,DC=local OU=Server,OU=COMPUTER,OU=Berlin,DC=xx-xxxxx,DC=local]
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:339 [site:default][host:172.16.2.20]: Enumerated Groups: total: 10, add: 0, update: 0, delete: 0
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:340 [site:default][host:172.16.2.20]: Enumerated AdItems: total: 23, add: 0, update: 0, delete: 0
2024-04-18T00:10:56.249+0200 INFO connector/sync_hdlr.go:349 [site:default][host:172.16.2.20]: Enumerated Users: total: 21, add: 0, update: 0, delete: 0

I am a little desparate because Support is "researching" the error since 2024/04/02 and the only valuable response I had was "..suspecting an internal bug 0987990 and bug 0870207. We will research on it.." But that was 6 days ago and in between I got messages like "Thank You for Your patience."

If I were researching a problem more than 14 days I bet I would have found a solution for a customer.

best regards

Martin