Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
Contributor

SSL VPN Failure Permission Denied -455 after update to 7.4.4

Hi,

 

I saw many posts but no solution that worked for us. Since yesterday, after the update to 7.4.4 we cant connect via SSL VPN with LDAP and FortiToken Users. Local Users are working fine. We tried with different users (NO user can connect and we have like at least 20 per day), different PCs and different Forticlient Versions.

 

We did not change anything from yesterday and on the other office with FG100F and 7.4.3 it still works without any problem with the same LDAP configuration.

 

Is it possible that this is a bug in 7.4.4. Any ideas o suggestions?

 

Thanks!

1 Solution
RolandBaumgaertner72
Contributor

Hi,

 

solved, with the certificates loaded on the FW we can connect without any problems.

 

Thanks

View solution in original post

10 REPLIES 10
AnthonyH
Staff
Staff

Hello RolandBaumgaertner72,

 

It may be related to the Root CA enforcement which requires the LDAP server certificate to be installed on the Fortigate, please refer to the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-certificate-issuer-enforcement/ta-p/...

Technical Support Engineer,
Anthony.
RolandBaumgaertner72
Contributor

Hi,

 

but how can I install certificate issuer (the root CA) on the FortiGate store or do I have to download the root certificate from the FortiGate and install it on the endpoint's certificate store and mark it as trusted??

 

Do you have some more information?

 

Thanks!

Debbie_FTNT

Hey Roland,

the FortiGate is client to the LDAP server in this instance - so you need to get the root CA of the LDAP server certificate, and upload that root CA to FortiGate, to ensure it trusts the LDAP server certificate (and its issuer).

As to how to install it:

1. Download the CA certificate that signed the LDAP server certificate

2. Log into FortiGate

3. Go to System > Certificate Management

4. Click on 'Create New/Import', then CA Certificate

5. Select the certificate, and click OK

 

That should install the certificate in question, and the LDAP server certificate should be trusted in the future.

Cheers,

Debbie

That should do it;

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
hbac
Staff
Staff

Hi @RolandBaumgaertner72.,

 

Under User & Authentication > LDAP Servers > Edit, are you able to 'Test User Credentials'? What is the connection status? 

 

Regards, 

RolandBaumgaertner72
Contributor

Hi,

 

solved, with the certificates loaded on the FW we can connect without any problems.

 

Thanks

Hungry_Panda

Could you share the steps to export the Windows AD root cert?

AnthonyH

Hello Hungry_Panda,


Could you please check these two documents? The steps to export the certificate are included here:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-export-root-CA-from-Certificate-Aut...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997...

Technical Support Engineer,
Anthony.
Hungry_Panda

I followed those instructions. I can connect with LDAPS and pass User Credential Test, but when I enable "Certificate", I lose Connectivity. And VPN still fails with AD account even though that account will AD okay from firewallAD okay from firewallVPN -455 fail with AD cred'sVPN -455 fail with AD cred's.Export AD CA rootExport AD CA rootCan connect to LDAPS wo CertificateCan connect to LDAPS wo CertificateCan Not connect LDAPS w certCan Not connect LDAPS w certVPN still failing :(VPN still failing :(

RolandBaumgaertner72

Hi,

 

we just copied our certificate (export) in the certificates option of the FG and after that it worked ;)

 

Try it out!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors