Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wayne11
Contributor

Created on ‎09-03-2013 06:05 AM

LDAP Auth only works with Pre-Win2K username

Hi guys After we went to 5.0.4 we want to implement the LDAP Authentication for our SSL VPN users. A big problem we found, it' s only possible to authenticate with the " Pre-Windows 2000" user credentials. With the normal AD username it' s not possible. For example, all our users have the Username like this: m.name followed from the domain @example.ads and the old Pre-Windows 2000 username are just the initials from each user like mn in this example. So domain followed by the username " domain\mn" . When we test the LDAP authentication for the users, we can authenticate only with the Pre-Windows 2000 username. Fortigate-110C # diag test authserver ldap AD1 mn password authenticate ' mn' against ' AD1' succeeded! Fortigate-110C # diag test authserver ldap AD1 m.name password authenticate ' m.name' against ' AD1' failed! Fortigate-110C # diag test authserver ldap AD1 m.name@domain.ads password authenticate ' m.name@domain.ads' against ' AD1' failed! Any suggestions?
4913
0 Kudos
3 REPLIES 3
Wayne11
Contributor

Created on ‎09-03-2013 03:20 PM

If we set cnid " userPrincipalName" on the LDAP server we can' t authenticate, it works only with " sAMAccountName" . Has anyone got it to work with the UPN? 
 Fortigate-110C (BACKUP) # get
 name                : BACKUP 
 server              : 172.17.36.50 
 secondary-server    : 
 tertiary-server     : 
 source-ip           : 0.0.0.0
 cnid                : userPrincipalName 
 dn                  : DC=domain,DC=ads 
 port                : 389
 type                : regular 
 username            : CN=ldap,OU=Dienstkonten,OU=Benutzer,OU=Gellen,DC=domain,DC=ads 
 password            : *
 group-member-check  : user-attr 
 secure              : disable 
 password-expiry-warning: disable 
 password-renewal    : disable 
 member-attr         : memberOf
2149
0 Kudos
Wayne11
Contributor

Created on ‎09-05-2013 05:01 AM

Finally I' ve got it to work We had to create the user on the FG with the full principalname as well !!! If I create a user like m.name@domain.com and link it to the LDAP server with configured Common Name Identifier " userPrincipalName" , then it works!
2149
0 Kudos
Dipen
New Contributor III

Created on ‎09-27-2013 05:28 AM

Hi Does that mean if I have 1000 Users in AD Domain..then I have to create 1000 users locally in Fortigate You already needed to do that for assigning FortiToken to AD Users......Now I come to know to know that setting CNID to userPrincipalName dosent either work..

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
2149
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.