Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EMSQuestion
New Contributor

Forticlient SSL VPN with SAML error -7200 at 48%

Hi,

 

I have recently setup SAML auth with Azure AD but cant get it to work via Forticlient.  

 

Users can login to the webportal and auth using SSO successfully, its just Forticlient that fails.

 

When users try to connect via Forticlient they are directed to the correct Microsoft Login URL and can successfully auth with their Azure creds(including MFA) but after accepting the MFA prompt Forticlient stops at 48% and shows "Credential or SSLVPN configuration is wrong (-7200)".  

Checking the SSL-VPN Monitor in the Forti shows the user as being connected but only with "Web Connections" instead of "Tunnel Connections"

 

It almost like when authenticating Forticlient cant find the user in a User Group so assigned it to the Web-access portal

 

Running Forticlient 7.0 and firmware 7.0.1 on the Forti

 

There is a post on Reddit about the SLL-VPN certificate key length having to be 2048 but we are using a certificate with a key length of 4096.

 

CONFIG BELOW (using example FQDN)

--------------------------------------------------------

config user saml
edit "azure-saml"
set cert "Fortinet"
set entity-id "https://example-company.com:10443/remote/saml/metadata"
set single-sign-on-url "https://example-company.com:10443/remote/saml/login"
set single-logout-url "https://example-company.com:10443/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/YYY-e027-4bb6-a213-XXX/"
set idp-single-sign-on-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
set idp-cert "Azure_SAML"
set user-name "username"
set group-name "group"
next
end

config user group
edit "SAML_AZ_ALL"
set member "azure-saml"
config match
edit 1
set server-name "azure-saml"
set group-name "YYY-a79a-40f0-a2df-XXX" (Object ID of my Azure group)
next
end
next
end
 

17 REPLIES 17
rina5392
New Contributor

Good day, did you figure this out, i have the exact same problem 

ls_mark

I also have same issues on Windows FortiClient Only, same user working on MacOS FortiClient.

simonorch

If you suspect a group mismatch issue, this recent kb article is really good

 

https://kb.fortinet.com/k...=1%200%20262768462%27)

 

 

NSE8
Fortinet Expert partner - Norway

NSE8Fortinet Expert partner - Norway
rvarajao
New Contributor

hello, did you find the cause for this issue?

VinayHM
Staff
Staff

Please check saml d logs, is there any clock skew error in the logs?

And please update the complete version of forticlient.

Vinay HM
LucianoCastillo
New Contributor II

Out of our 3000 users, only 5 have reported experiencing this issue. Any idea ?

VinayHM

Hi

 

can you please check in the sslvpn and fnbamd logs that the user getting matched group?

Vinay HM
LucianoCastillo

I have identified the root cause of the problem. The system administrator had created a security group and added certain users to it. However, these users were facing issues while using VPN. Upon investigation, I discovered that the group had too many permissions which were causing conflicts with Forticlient. I promptly requested the system administrator to delete the group to resolve the issue.

 

This issue can occur in various situations, not just one.

ScooterSG1

We are experiencing the same issue.  When you say that "the group" had too many permissions causing conflicts, was this the group used for the SSLVPN membership or was it just another group in their Azure environment that those users being impacted were also members of?  Any more details that might help us?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors