After updating some firewalls to FortiOS 7.4.4 I am no longer able to log onto them using LDAP authentication. Local accounts are not affected.
I have tested my credentials on the LDAP server screen and confirmed that I can authenticate, so this looks like a bug in 7.4.4.
Anyone else experiencing this issue?
Same here and also worked for me
Thanks for share
100% Correct i tested it without Secure Connection and its working. I open a ticket fortigate support the answer was go back to 7.2.8 great. Feature means for me new features they can be buggy but the basics should work. Fortigate should use words like "Beta" "Experimental" maybe better
I am having the same issue after upgrading to 7.4.4
Same issue here using Google LDAPS - has anyone had any luck getting it to work on 7.4.4 with Google? Turning off secure connection didn't solve it. Thanks
Hey freddiedivas,
if you have the issue even after disabling secure connection, that sounds like something else might be going on.
I would suggest that you do the following in FortiGate CLI:
1. Enable this debug:
#dia de reset
#dia de app fnbamd -1
#dia de en
2. In a separate CLI connection, run this command:
#dia test authserver ldap <LDAP server name> <user> <password>
It should look something like this ("win-server" is what the LDAP-server is called in my FortiGate config):
3. In the first SSH session, you should get some output about FortiGate trying to connect to the LDAP. This might give you some error messages (like SSL connect failed, or admin bind failed, or user bind failed, or similar).
-> I would suggest sharing the output here for us to look over, or opening a support case to have a FortiGate support engineer look the debug over and provide details on whatever error your FortiGate encounters.
4. To end the debug output:
#dia de disable
#dia de reset
None of the suggestions provided so far have worked for me, which included installing a CA cert and disabling security. I feel like this is a bug introduced in 7.4.4.
At the very least, I would expect that any issues with LDAP auth would be identified when running a test in the web GUI.
I'd normally ask for a pcap + full fnbamd debug, but since those will most likely contain sensitive information, you're be better off opening a support ticket to get things sorted out.
Thanks @Debbie_FTNT, I did manage to fix this in the end - not sure if it will work for you @Magni_IT but might be worth a try, my issue was related to LDAP timeout, increasing the timeout by running the below fixed it for me;
config sys global
set remoteauthtimeout 10
set ldapconntimeout 999
end
more details here - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Increase-the-LDAP-query-timeout/ta-p/18940...
Same problem here. LDAPS stop working after upgrading to 7.4.4.
Then I found this KB (https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-certificate-issuer-enforcement/ta-p/... that explains that certificate verification is now enforced since this version. The error messages on debug was different compared to the KBs one.
While I was trying to reproduce the issue to get the same error message as the KB, I decided to delete the CA certs from the FortiGate. Which then I started to get the exactly same error message "(error:0A000086:SSL routines::certificate verify failed)".
Then after that, I re-imported the exactly same CA certs and it fixed the issue. So the solution was to delete and re-import the CA certificates.
I hope this helps others.
Good Day,
Kindly note that starting from v7.4.4, the LDAPS/STARTTLS server certificate issuer has been enforced.
When using FOS 7.4.4 GA,7.6.0GA, or later in LDAPS setup, you may encounter an authentication error when using remote login based authenticated by a LDAPS server can be verified in the packet capture 'certificate verify failed' error appears when the root CA is not installed on the FortiGate store.
To prevent this error, import the certificate (root CA) that signed the server certificate into the FortiGate store.
There are times when, even after updating the server root certificate to the FortiGate certificate store, the authentication will fail due to an 'Unknown CA' error. In one case, the certificate was updated under the Local CA store instead of the Remote CA. After reinstalling the root certificate, when the certificate was under the Remote CA, the authentication was successful.
As a result, make sure that the certificate is under the Remote CA in the certificate store. Additionally, ensure that the certificate is correctly downloaded as a CA from the authentication server.
PCAP eg: when an issue happens starting from v7.4.4 due to the root CA is not installed on the FortiGate store we can see an error Alert (Level: Fatal, Description: Unknown CA):
7 0.000000000 10.5.55.75 10.1.1.1 TLSv1.2 695 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
9 0.000000000 10.1.1.1 10.5.55.75 TLSv1.2 73 Alert (Level: Fatal, Description: Unknown CA)
PCAP eg: After root CA is installed in the FGT, we can see Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message as e.g. :
7 0.000000000 10.5.55.75 10.1.1.1 TLSv1.2 695 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
9 0.000000000 10.1.1.1 10.5.55.75 TLSv1.2 171 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
Kindly refer to the below KB for detailed information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-STARTTLS-certificate-issuer-enforcem...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-connections-no-longer-work-after-upd...
Thanks,
Feroz
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.