Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Forticlient and LDAPS



Until now, my LDAP servers were configured for working on port 389.

My User group linked to my LDAP Servers is configured to Any.


The problem is when a password expired for a domain user, my user is blocked because he cannot update it by Forticlient. So, I seted-up LDAPS thanks to this procedure


I created a new LDAP server configured to port 636 and linked to my domain cert exported from my AD My user group is linked to this new LDAPS server and configure to a specific AD OU I created a user test who is member of this OU.

The user must change his password at next logon.


But, with this user I have the following error during vpn connection "Credential or SSLVPN configuration is wrong (-7200)"

If I disable the option to change password at next logon, I can connect.


Is it because 2 "rules" are applied to my VPN configuration under "Authentication/Portal Mapping" ?

The original one using LDAP applying to Any and the second one using LDAPS applying to specific OU ? As my user test is member of the OU and also Any, I don't know which "rule" is applied. Let me know if I'm clear or not. Regards,


New Contributor



By deleting LDAP server on ly SSL-VPN-Settings and just keeping my LDAPS servers, now the message during the connection, for my user who must change his password, is : Unable to logon to the server. Your user name or password may not be configured properly for this connection (-12).


If I uncheck the box which told that the user must change his password to the next logon I can connect to my forticlient.


Any idea ? I don't know if I must change my fabfic connecter (AD) from ldap to ldaps or if it's not necessary.





Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors