Does anyone have ldaps working with windows server 2019? I'm running version 6.4.12 and had LDAPS working with windows 2016 without any issues and my server admin upgraded our DC to server 2019 and broke the ldaps connection from the fortigate. I have unsecured port 389 working but can't get 636 to work. With the previous configuration we we're using certificates we just had the secure option checked and it was working but now it won't work at all the the option. I've tried using certificates by downloaded our CA from our certificate store to the gates and selecting the certificates on the configuration and still nothing.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
vsahu,
Thanks for your help on this I ran the debug and found that the issue was a TLS version mismatch. Windows server 2019 doesn't support TLS version 1.3 and our security officer had enabled it on the server. In the packet capture I could see that the firewall was offering tls1.3 as a support version and the server picked tls1.3 even though it's not supported on the server. After verifying with Microsoft we turned off tls1.3 on the server and now the connection is working using tls1.2.
Hi,
I should work, please ensure that you have properly uploaded the root CA on FGT and intermediate certs if you have in place.
Please review the following community link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997...
What kind of error do you face?
PCAP should provide you more information.
BR
BR,
Thanks for the reply I'll try this.
Hi tarwoeb,
Could you help us with the below output to check the status of the port 636:
# get router info routing-table details x.x.x.x <<== LDAP srever IP@
# exec telnet x.x.x.x 636
Please use LDAPS (LDAP SSL, port 636)
Regards,
Vimala
Vimala,
Thanks for the reply but the issue is not due to routing I can ping the ldap server and port 389 is working but not 636. Here are the results from the commands below I think the issue might be certificate related. I'll try the certificate route and see if it fixes the issue.
Routing table for VRF=0
Routing entry for 10.0.0.0/8
Known via "static", distance 10, metric 0, best
* 10.1.0.3, via port33 distance 0
FW-SCF-FGT15K-HA01 # execute telnet 10.10.0.15 636
Trying 10.10.0.15...
Connected to 10.10.0.15.
Connection closed by foreign host.
Hello tarwoeb,
If it's Ldaps generally the issue happens because of an incorrect Ldap CA certificate installed on the FortiGate. To install the correct certificate take a pcap between Fortigate and LDAP server, you can use GUI packet capture follow the below link else use CLI capture and convert it to pcap
To convert the CLI capture follow the below guide, there is a tool 'fgt2eth.exe.12.2014.zip' attached at the bottom of the guide with the tool which can convert the sniffer text file to PCAP:
Once you have the capture open it in Wireshark, export the certificate from pcap, follow below guide.
Install the certificate on Fortigate and it should work, for reference check
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HTTPS-SSL-Certificate-Installati...
If the issue is still there, take the below debug and share.
diag debug reset
diag debug enable
diag debug application fnbamd -1
So, I've tried all the options on here and I still can get this to work. I was able to get the error with the debug and it's showing a ssl version mismatch on the firewall I set the min-ssl to tls1-2 and there's no option for tls1-3. In the firewall hello to the server it's offering tls 1.3 and the server is trying to use tls1.3 but for some reason the firewall is not recognizing tls1.3. I have a test server running MS 2016 and the hello from the firewall is tls1.2 and this works using the same certificates with no issues. Is there a was to force the fortigate to use tls1.2 instead of 1.3? I'm running FortiOS 6.4.13 and I don't get the option to set max-ssl version. Here's the error from the debug. __ldap_connect-tcps_connect(10.10.0.15) failed: ssl_connect() failed: 336130315 (error:1408F10B:SSL routines:ssl3_get_record:wrong version number)
vsahu,
Thanks for your help on this I ran the debug and found that the issue was a TLS version mismatch. Windows server 2019 doesn't support TLS version 1.3 and our security officer had enabled it on the server. In the packet capture I could see that the firewall was offering tls1.3 as a support version and the server picked tls1.3 even though it's not supported on the server. After verifying with Microsoft we turned off tls1.3 on the server and now the connection is working using tls1.2.
Glad you were able to resolve it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.