Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tarwoeb
New Contributor II

FortiOS 6.4 LDAPS with windows 2019

Does anyone have ldaps working with windows server 2019?  I'm running version 6.4.12 and had LDAPS working with windows 2016 without any issues and my server admin upgraded our DC to server 2019 and broke the ldaps connection from the fortigate.  I have unsecured port 389 working but can't get 636 to work.  With the previous configuration we we're using certificates we just had the secure option checked and it was working but now it won't work at all the the option.  I've tried using certificates by downloaded our CA from our certificate store to the gates and selecting the certificates on the configuration and still nothing. 

1 Solution
tarwoeb
New Contributor II

vsahu,

Thanks for your help on this I ran the debug and found that the issue was a TLS version mismatch.  Windows server 2019 doesn't support TLS version 1.3 and our security officer had enabled it on the server.  In the packet capture I could see that the firewall was offering tls1.3 as a support version and the server picked tls1.3 even though it's not supported on the server.  After verifying with Microsoft we turned off tls1.3 on the server and now the connection is working using tls1.2.

View solution in original post

8 REPLIES 8
ndumaj
Staff
Staff

Hi,

I should work, please ensure that you have properly uploaded the root CA on FGT and intermediate certs if you have in place.

Please review the following community link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997...
What kind of error do you face?
PCAP should provide you more information.

BR

- Happy to help, hit like and accept the solution -
tarwoeb
New Contributor II

BR,

 

Thanks for the reply I'll try this.

kvimaladevi
Staff
Staff

Hi tarwoeb,

Could you help us with the below output to check the status of the port 636:

# get router info routing-table details x.x.x.x <<== LDAP srever IP@

# exec telnet x.x.x.x 636

Please use LDAPS (LDAP SSL, port 636)

Regards,
Vimala

tarwoeb
New Contributor II

Vimala,

Thanks for the reply but the issue is not due to routing I can ping the ldap server and port 389 is working but not 636.  Here are the results from the commands below I think the issue might be certificate related.  I'll try the certificate route and see if it fixes the issue.

Routing table for VRF=0
Routing entry for 10.0.0.0/8
Known via "static", distance 10, metric 0, best
* 10.1.0.3, via port33 distance 0

 

FW-SCF-FGT15K-HA01 # execute telnet 10.10.0.15 636
Trying 10.10.0.15...
Connected to 10.10.0.15.
Connection closed by foreign host.

vsahu
Staff
Staff

Hello tarwoeb,

 

If it's Ldaps generally the issue happens because of an incorrect Ldap CA certificate installed on the FortiGate. To install the correct certificate take a pcap between Fortigate and LDAP server, you can use GUI packet capture follow the below link else use CLI capture and convert it to pcap

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Packet-Capture-on-FortiOS-GUI/ta-p/1...

 

To convert the CLI capture follow the below guide, there is a tool 'fgt2eth.exe.12.2014.zip' attached at the bottom of the guide with the tool which can convert the sniffer text file to PCAP:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-diagnose-sniffer-packet-data...

 

Once you have the capture open it in Wireshark, export the certificate from pcap, follow below guide.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-extract-a-certificate-from-a-Wiresh...

 

Install the certificate on Fortigate and it should work, for reference check 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HTTPS-SSL-Certificate-Installati...

If the issue is still there, take the below debug and share.


diag debug reset
diag debug enable

diag debug application fnbamd -1

Regards,
Vishal
tarwoeb
New Contributor II

So, I've tried all the options on here and I still can get this to work.  I was able to get the error with the debug and it's showing a ssl version mismatch on the firewall I set the min-ssl to tls1-2 and there's no option for tls1-3.  In the firewall hello to the server it's offering tls 1.3 and the server is trying to use tls1.3 but for some reason the firewall is not recognizing tls1.3.  I have a test server running MS 2016 and the hello from the firewall is tls1.2 and this works using the same certificates with no issues.  Is there a was to force the fortigate to use tls1.2 instead of 1.3?  I'm running FortiOS 6.4.13 and I don't get the option to set max-ssl version. Here's the error from the debug.  __ldap_connect-tcps_connect(10.10.0.15) failed: ssl_connect() failed: 336130315 (error:1408F10B:SSL routines:ssl3_get_record:wrong version number)

tarwoeb
New Contributor II

vsahu,

Thanks for your help on this I ran the debug and found that the issue was a TLS version mismatch.  Windows server 2019 doesn't support TLS version 1.3 and our security officer had enabled it on the server.  In the packet capture I could see that the firewall was offering tls1.3 as a support version and the server picked tls1.3 even though it's not supported on the server.  After verifying with Microsoft we turned off tls1.3 on the server and now the connection is working using tls1.2.

vsahu

Glad you were able to resolve it.

Regards,
Vishal
Top Kudoed Authors