Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Magnitude_8
New Contributor III

Created on ‎05-21-2024 04:51 PM

LDAP authentication for admins not working after FortiOS 7.4.4 update

After updating some firewalls to FortiOS 7.4.4 I am no longer able to log onto them using LDAP authentication. Local accounts are not affected.

 

I have tested my credentials on the LDAP server screen and confirmed that I can authenticate, so this looks like a bug in 7.4.4.

 

Anyone else experiencing this issue?

Labels:
7313
22 REPLIES 22
ipivot
New Contributor
In response to HrM

Created on ‎06-09-2024 09:59 AM

Same here and also worked for me
Thanks for share

2688
0 Kudos
Crimedefender
New Contributor

Created on ‎05-23-2024 02:15 AM

100% Correct i tested it without Secure Connection and its working. I open a ticket fortigate support the answer was go back to 7.2.8 great. Feature means for me new features they can be buggy but the basics should work. Fortigate should use words like "Beta" "Experimental" maybe better

2500
0 Kudos
DoubleP
New Contributor

Created on ‎05-31-2024 01:22 AM

I am having the same issue after upgrading to 7.4.4

2107
0 Kudos
freddiedavis
New Contributor II

Created on ‎05-31-2024 05:50 AM Edited on ‎05-31-2024 06:18 AM

Same issue here using Google LDAPS - has anyone had any luck getting it to work on 7.4.4 with Google? Turning off secure connection didn't solve it. Thanks

2087
0 Kudos
Debbie_FTNT
Staff
Staff
In response to freddiedavis

Created on ‎06-03-2024 07:55 AM

Hey freddiedivas,

if you have the issue even after disabling secure connection, that sounds like something else might be going on.

I would suggest that you do the following in FortiGate CLI:

1. Enable this debug:
#dia de reset
#dia de app fnbamd -1
#dia de en
2. In a separate CLI connection, run this command:
#dia test authserver ldap <LDAP server name> <user> <password>
It should look something like this ("win-server" is what the LDAP-server is called in my FortiGate config):
image.png

3. In the first SSH session, you should get some output about FortiGate trying to connect to the LDAP. This might give you some error messages (like SSL connect failed, or admin bind failed, or user bind failed, or similar).

-> I would suggest sharing the output here for us to look over, or opening a support case to have a FortiGate support engineer look the debug over and provide details on whatever error your FortiGate encounters.

 

4. To end the debug output:
#dia de disable
#dia de reset

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2028
Magnitude_8
New Contributor III

Created on ‎06-03-2024 04:16 PM

None of the suggestions provided so far have worked for me, which included installing a CA cert and disabling security. I feel like this is a bug introduced in 7.4.4.

 

At the very least, I would expect that any issues with LDAP auth would be identified when running a test in the web GUI.

2014
0 Kudos
pminarik
Staff
Staff
In response to Magnitude_8

Created on ‎06-04-2024 01:25 AM

I'd normally ask for a pcap + full fnbamd debug, but since those will most likely contain sensitive information, you're be better off opening a support ticket to get things sorted out.

[ corrections always welcome ]
1958
freddiedavis
New Contributor II

Created on ‎06-04-2024 12:05 AM Edited on ‎06-04-2024 12:07 AM

Thanks @Debbie_FTNT, I did manage to fix this in the end - not sure if it will work for you @Magni_IT but might be worth a try, my issue was related to LDAP timeout, increasing the timeout by running the below fixed it for me;

 

config sys global
set remoteauthtimeout 10
set ldapconntimeout 999
end

 

 

 

 

more details here - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Increase-the-LDAP-query-timeout/ta-p/18940...

1992
Renderson
New Contributor

Created on ‎07-09-2024 07:27 PM Edited on ‎07-09-2024 07:28 PM

Same problem here. LDAPS stop working after upgrading to 7.4.4.

Then I found this KB (https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-certificate-issuer-enforcement/ta-p/... that explains that certificate verification is now enforced since this version. The error messages on debug was different compared to the KBs one.

 

While I was trying to reproduce the issue to get the same error message as the KB, I decided to delete the CA certs from the FortiGate. Which then I started to get the exactly same error message "(error:0A000086:SSL routines::certificate verify failed)".

 

Then after that, I re-imported the exactly same CA certs and it fixed the issue. So the solution was to delete and re-import the CA certificates.

 

I hope this helps others.

 

1343
sferoz
Staff
Staff

Created on ‎09-19-2024 03:31 PM Edited on ‎09-19-2024 03:32 PM

Good Day,

Kindly note that starting from v7.4.4, the LDAPS/STARTTLS server certificate issuer has been enforced.
When using FOS 7.4.4 GA,7.6.0GA, or later in LDAPS setup, you may encounter an authentication error when using remote login based authenticated by a LDAPS server can be verified in the packet capture 'certificate verify failed' error appears when the root CA is not installed on the FortiGate store.
To prevent this error, import the certificate (root CA) that signed the server certificate into the FortiGate store.

There are times when, even after updating the server root certificate to the FortiGate certificate store, the authentication will fail due to an 'Unknown CA' error. In one case, the certificate was updated under the Local CA store instead of the Remote CA. After reinstalling the root certificate, when the certificate was under the Remote CA, the authentication was successful.

As a result, make sure that the certificate is under the Remote CA in the certificate store. Additionally, ensure that the certificate is correctly downloaded as a CA from the authentication server.

PCAP eg: when an issue happens starting from v7.4.4 due to the root CA is not installed on the FortiGate store we can see an error Alert (Level: Fatal, Description: Unknown CA):
7 0.000000000 10.5.55.75 10.1.1.1 TLSv1.2 695 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
9 0.000000000 10.1.1.1 10.5.55.75 TLSv1.2 73 Alert (Level: Fatal, Description: Unknown CA)

PCAP eg: After root CA is installed in the FGT, we can see Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message as e.g. :
7 0.000000000 10.5.55.75 10.1.1.1 TLSv1.2 695 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
9 0.000000000 10.1.1.1 10.5.55.75 TLSv1.2 171 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

Kindly refer to the below KB for detailed information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-STARTTLS-certificate-issuer-enforcem...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-connections-no-longer-work-after-upd...

Thanks,
Feroz

311
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.