Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
Contributor

Created on ‎05-28-2024 08:45 AM

SSL VPN Failure Permission Denied -455 after update to 7.4.4

Hi,

 

I saw many posts but no solution that worked for us. Since yesterday, after the update to 7.4.4 we cant connect via SSL VPN with LDAP and FortiToken Users. Local Users are working fine. We tried with different users (NO user can connect and we have like at least 20 per day), different PCs and different Forticlient Versions.

 

We did not change anything from yesterday and on the other office with FG100F and 7.4.3 it still works without any problem with the same LDAP configuration.

 

Is it possible that this is a bug in 7.4.4. Any ideas o suggestions?

 

Thanks!

Labels:
14804
1 Solution
RolandBaumgaertner72
Contributor

Created on ‎05-30-2024 02:30 AM

Hi,

 

solved, with the certificates loaded on the FW we can connect without any problems.

 

Thanks

View solution in original post

14602
0 Kudos
10 REPLIES 10
AnthonyH
Staff
Staff

Created on ‎05-28-2024 10:41 AM

Hello RolandBaumgaertner72,

 

It may be related to the Root CA enforcement which requires the LDAP server certificate to be installed on the Fortigate, please refer to the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-certificate-issuer-enforcement/ta-p/...

Technical Support Engineer,
Anthony.
13316
RolandBaumgaertner72
Contributor

Created on ‎05-28-2024 12:13 PM

Hi,

 

but how can I install certificate issuer (the root CA) on the FortiGate store or do I have to download the root certificate from the FortiGate and install it on the endpoint's certificate store and mark it as trusted??

 

Do you have some more information?

 

Thanks!

13303
0 Kudos
Debbie_FTNT
Staff
Staff
In response to RolandBaumgaertner72

Created on ‎05-29-2024 12:53 AM

Hey Roland,

the FortiGate is client to the LDAP server in this instance - so you need to get the root CA of the LDAP server certificate, and upload that root CA to FortiGate, to ensure it trusts the LDAP server certificate (and its issuer).

As to how to install it:

1. Download the CA certificate that signed the LDAP server certificate

2. Log into FortiGate

3. Go to System > Certificate Management

4. Click on 'Create New/Import', then CA Certificate

5. Select the certificate, and click OK

 

That should install the certificate in question, and the LDAP server certificate should be trusted in the future.

Cheers,

Debbie

That should do it;

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
13248
hbac
Staff
Staff

Created on ‎05-29-2024 07:08 AM

Hi @RolandBaumgaertner72.,

 

Under User & Authentication > LDAP Servers > Edit, are you able to 'Test User Credentials'? What is the connection status? 

 

Regards, 

13214
RolandBaumgaertner72
Contributor

Created on ‎05-30-2024 02:30 AM

Hi,

 

solved, with the certificates loaded on the FW we can connect without any problems.

 

Thanks

14603
0 Kudos
Hungry_Panda
New Contributor
In response to RolandBaumgaertner72

Created on ‎06-14-2024 09:07 AM

Could you share the steps to export the Windows AD root cert?

12577
0 Kudos
AnthonyH
Staff
Staff
In response to Hungry_Panda

Created on ‎06-19-2024 05:50 AM

Hello Hungry_Panda,


Could you please check these two documents? The steps to export the certificate are included here:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-export-root-CA-from-Certificate-Aut...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-LDAP-over-SSL-LDAPS/ta-p/18997...

Technical Support Engineer,
Anthony.
12406
Hungry_Panda
New Contributor
In response to AnthonyH

Created on ‎06-19-2024 01:47 PM

I followed those instructions. I can connect with LDAPS and pass User Credential Test, but when I enable "Certificate", I lose Connectivity. And VPN still fails with AD account even though that account will AD okay from firewallAD okay from firewallVPN -455 fail with AD cred'sVPN -455 fail with AD cred's.Export AD CA rootExport AD CA rootCan connect to LDAPS wo CertificateCan connect to LDAPS wo CertificateCan Not connect LDAPS w certCan Not connect LDAPS w certVPN still failing :(VPN still failing :(

12368
0 Kudos
RolandBaumgaertner72
Contributor
In response to Hungry_Panda

Created on ‎06-20-2024 01:00 AM

Hi,

 

we just copied our certificate (export) in the certificates option of the FG and after that it worked ;)

 

Try it out!

12328
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.