Hello,
We have an LDAP connection to our DC setup on our Fortigate 60E (v6.2.2 build1010). We connect to the domain controller over a S2S VPN. Insecure connections on port 389 connect just fine. However, when I attempt to turn on LDAPS, and issue command:
diagnose test authserver ldap SDC_LDAP <username> <password>I get
authenticate '<username>' against 'SDC_LDAP' failed!
I have imported a CA cert into the Fortigate that is in the trusted CA store of the DC (SDC_LDAP) as well.
After a bit of troubleshooting, I believe I cannot connect via LDAPS because the Fortigate does not resolve the fqdn of the LDAP server IP, thus causing a cert validation failure. Entering in the fqdn of the DC into the server field does not work because the Fortigate does not resolve the name to an IP address (a DNS resolution failure).
Using the Ldp utility from my desktop I get a similar result, I can connect via LDAPS just fine if and only if I use the DC hostname/fqdn. (The LDAPS Cookbook guide uses an IP address just fine. I am not using AD CS, I generated the root key pair via OpenSSL on a different box so I am kind of curious what might be different here. Adding the IP to the cert seems a little janky to me)
How do I best go about getting the Fortigate to resolve the name? I have changed the Fortigate's network DNS to use our DNS to no avail. Any help would be appreciated.
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
in fnbamd - 1 debug you probably see similar line to this:
failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
Fix (workaround):
If you edit ldap in FortiGate:
config user ldap
edit <your ldap>
set server-identity-check disable
end
The check will be disabled and LDAPS will work. Authentication will not be affected at all.
By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.
Best Regards,
Alivo
livo
Hello,
in fnbamd - 1 debug you probably see similar line to this:
failed: ssl_connect() failed: 5 (error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed).
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
Fix (workaround):
If you edit ldap in FortiGate:
config user ldap
edit <your ldap>
set server-identity-check disable
end
The check will be disabled and LDAPS will work. Authentication will not be affected at all.
By default, in 6.2, when you select certificate for LDAPS, the option "set server-identity-check" is enabled.
Best Regards,
Alivo
livo
Hi, and thanks for the reply.
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli.
I have enabled your workaround for now.
Thanks again.
Alivo, Thanks for that tip worked well for me.
Regards,
Gunnerman wrote:Are you still having this issue? I have the same issue but resolved the ping by setting the source address of the ping to the internal interface IP address (exec ping-options source x.x.x.x). However the sutrhentication still fails, even with the server-identity-check disabled.Hi, and thanks for the reply.
Issue is likely that the SubjectAltName of the certificate does not have IP address which you are connecting to.
It is the IP or FQDN which you would use in config user ldap > set server ....
Correct. I do not have the IP in the certificate. I would like to use the FQDN (to bypass not having the ip in the cert) however I am having a hard time getting the Fortigate to resolve the FQDN. I have setup the Fortigate as a slave dns server and pointed the Fortigate system dns to itself and pings still fail to the fqdn from cli.
I have enabled your workaround for now.
Thanks again.
Under Network / DNS you need to have your FortiGate pointing at your internal DNS IP (e.g. DC's IP) and have your internal DNS suffix entered there too for internal name resolution to work, assuming that you're using an internal CA-generated certificate for LDAPS. Your Fortigate then should be able to ping your internal DC or LDAPS server by the same internal FQDN as that name on the LDAPS certificate issued by the internal CA. If the ping works, configure the LDAP server with the same internal FQDN (e.g. DC1.yourdomain.local or DC1.corp.yourdomain.com) and everything should work with server-identity-check enabled.
Russ
NSE7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.