Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

SSl-VPN - Change pwd for AD User getting "Policy ID Implicit Deny"

Hello @All,

we're using ssl-vpn with portal, an Active Directory login.

Login woks fine!

If a password is expired for a ssl-vpn AD-User, he gets on portal the message that one is expired, so pls. Change it. If the user try to change that on, he gets after that Error: Permission denied.

On Log, I see "Policy ID Implicit Deny"

 

How can I fix that?

Many thanks

TheBob

12 REPLIES 12
bpozdena_FTNT

Hi Bob,

 

You will need to use LDAPS and enable password renewal for users to be able to change their passwords upon expiration.

 

set secure ldaps
set password-renewal enable

 

The bellow document explained it in detail :

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/688719/ssl-vpn-with-ldap-user-password-r...

HTH,
Boris
TBC

Thank you very much for fast replay!

I have that already enabled:

set secure ldaps
        set ca-cert "CA_Cert_1"
        set port 636
        set password-expiry-warning enable
        set password-renewal enable

 My FW is v7.2.1. build 1254

I'm pretty sure that this one works before, but now it's not working anymore.

Markus_M

Hi Bob,

 

one thing you could try is reverting to an older FortiGate release by rebooting with the alternate bootsector, holding the firmware (and config) you had prior upgrading. And then test there.

 

Other than that you will need to check

a) Are you testing with a FortiClient? If so, test with the FGT Web mode, that will have to work.

b) debug :)

diag debug console timestamp enable

diag debug app fnbamd -1

diag debug app sslvpn -1

diag debug enable

 

Then you should be able to identify the binding, password authentication, expiry, change message and hopefully what is maybe not happening as it should.

 

Best regards,

 

Markus

TBC

Hello Markus,

many thanks for helping, alternate boot is not possible because I'm working remote.

Debug is done, is that possible to send the log via mail due to security reason?

 

Many thanks

Remo

 

bpozdena_FTNT

Hi Remo,

 

The idea of public forum is to share issues and their solutions with others. This way, more people can benefit. You can mask/replace sensitive details such as domain name and post it here.

 

If you are not comfortable with it, please create a support ticket with TAC and you will be helped privately there ;-). 

HTH,
Boris
TBC

Here it is :)

 

 

 

fw-tl2-r19 # 2022-09-21 13:45:18 [353:root:5c]allocSSLConn:306 sconn 0x7f66640ae800 (0:root)
2022-09-21 13:45:18 [353:root:5c]SSL state:before SSL initialization (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:before SSL initialization (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]got SNI server name: vpn.dom.net realm (null)
2022-09-21 13:45:18 [353:root:5c]client cert requirement: no
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS read client hello (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write server hello (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write change cipher spec (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 early data (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 early data:(null)(xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 early data (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]got SNI server name: vpn.dom.net realm (null)
2022-09-21 13:45:18 [353:root:5c]client cert requirement: no
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS read client hello (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write server hello (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 write encrypted extensions (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write certificate (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 write server certificate verify (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write finished (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 early data (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 early data:(null)(xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:TLSv1.3 early data (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS read finished (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write session ticket (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL state:SSLv3/TLS write session ticket (xx.xxx.xxx.xx)
2022-09-21 13:45:18 [353:root:5c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
2022-09-21 13:45:18 [353:root:5c]req: /remote/logincheck
2022-09-21 13:45:18 [353:root:5c]rmt_web_auth_info_parser_common:504 no session id in auth info
2022-09-21 13:45:18 [353:root:5c]rmt_web_access_check:771 access failed, uri=[/remote/logincheck],ret=4103,
2022-09-21 13:45:18 [353:root:5c]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
2022-09-21 13:45:18 [353:root:5c]sslvpn_auth_check_usrgroup:2991 forming user/group list from policy.
2022-09-21 13:45:18 [353:root:5c]sslvpn_auth_check_usrgroup:3037 got user (0) group (19:0).
2022-09-21 13:45:18 [353:root:5c]sslvpn_validate_user_group_list:1870 validating with SSL VPN authentication rules (19), realm (wenzel).

2022-09-21 13:45:18 [353:root:5c]sslvpn_validate_user_group_list:2889 got user (0:0), group (1:0) peer group (0).
2022-09-21 13:45:18 [353:root:5c]sslvpn_update_user_group_list:1807 got user (0:0), group (1:0), peer group (0) after update.
2022-09-21 13:45:18 [353:root:5c]two factor check for u0test: off
2022-09-21 13:45:18 [353:root:5c]sslvpn_authenticate_user:191 authenticate user: [u0test]
2022-09-21 13:45:18 [353:root:5c]sslvpn_authenticate_user:205 create fam state
2022-09-21 13:45:18 [353:root:5c][fam_auth_send_req_internal:426] Groups sent to FNBAM:
2022-09-21 13:45:18 [353:root:5c]group_desc[0].grpname = vpn-wenzel 
2022-09-21 13:45:18 [353:root:5c][fam_auth_send_req_internal:438] FNBAM opt = 0X200401
2022-09-21 13:45:18 [353:root:5c]fam_auth_send_req_internal:514 fnbam_auth return: 4
2022-09-21 13:45:18 [1906] handle_req-Rcvd auth req 595406404 for u0test in  opt=00200401 prot=11
2022-09-21 13:45:18 [466] __compose_group_list_from_req-Group 'vpn-wenzel', type 1
fam_auth_send_req:1007 task finished with 4
2022-09-21 13:45:18 [616] fnbamd_pop3_start-u0test
2022-09-21 13:45:18 [378] radius_start-Didn't find radius servers (0)
2022-09-21 13:45:18 [755] auth_tac_plus_start-Didn't find tac_plus servers (0)
2022-09-21 13:45:18 [1006] __fnbamd_cfg_get_ldap_list_by_group-
2022-09-21 13:45:18 [1064] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DC1' for usergroup 'vpn-wenzel' (5)
2022-09-21 13:45:18 [1064] __fnbamd_cfg_get_ldap_list_by_group-Loaded LDAP server 'DC2' for usergroup 'vpn-wenzel' (5)
2022-09-21 13:45:18 [1114] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 2
2022-09-21 13:45:18 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=u0test
2022-09-21 13:45:18 [1727] fnbamd_ldap_init-search base is: OU=xxx,DC=DBom,DC=com
2022-09-21 13:45:18 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x2e1 'PDC1.Dom.com'
2022-09-21 13:45:18 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x22e1 'PDC1.Dom.com'
2022-09-21 13:45:18 [137] fnbamd_dns_resolv_ex-DNS maintainer started.
2022-09-21 13:45:18 [1717] fnbamd_ldap_init-search filter is: sAMAccountName=u0test
2022-09-21 13:45:18 [1727] fnbamd_ldap_init-search base is: OU=xxx,DC=DBom,DC=com
2022-09-21 13:45:18 [115] fnbamd_dns_resolv_ex-DNS req ipv4 0x2e2 'BDC1.Dom.com'
2022-09-21 13:45:18 [125] fnbamd_dns_resolv_ex-DNS req ipv6 0x22e2 'BDC1.Dom.com'
2022-09-21 13:45:18 [644] create_auth_session-Total 2 server(s) to try
2022-09-21 13:45:18 [1927] handle_req-r=4
2022-09-21 13:45:18 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x2e1
2022-09-21 13:45:18 [305] fnbamd_dns_parse_resp-req 0x2e1: 192.168.xxx.xx3
2022-09-21 13:45:18 [1149] __fnbamd_ldap_dns_cb-Resolved DC1:PDC1.Dom.com to 192.168.xxx.xx3, cur stack size:1
2022-09-21 13:45:18 [924] __fnbamd_ldap_get_next_addr-
2022-09-21 13:45:18 [1154] __fnbamd_ldap_dns_cb-Connection starts DC1:PDC1.Dom.com, addr 192.168.xxx.xx3 over SSL
2022-09-21 13:45:18 [879] __fnbamd_ldap_start_conn-Still connecting 192.168.xxx.xx3.
2022-09-21 13:45:18 [246] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x2e2
2022-09-21 13:45:18 [305] fnbamd_dns_parse_resp-req 0x2e2: 192.168.xxx.xx5
2022-09-21 13:45:18 [1149] __fnbamd_ldap_dns_cb-Resolved DC2:BDC1.Dom.com to 192.168.xxx.xx5, cur stack size:1
2022-09-21 13:45:18 [924] __fnbamd_ldap_get_next_addr-
2022-09-21 13:45:18 [1154] __fnbamd_ldap_dns_cb-Connection starts DC2:BDC1.Dom.com, addr 192.168.xxx.xx5 over SSL
2022-09-21 13:45:18 [879] __fnbamd_ldap_start_conn-Still connecting 192.168.xxx.xx5.
2022-09-21 13:45:18 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x22e1
2022-09-21 13:45:18 [265] fnbamd_dns_parse_resp-req 0x2e1: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2022-09-21 13:45:18 [35] __fnbamd_dns_req_del-DNS req 0x2e1 (0x9c9c680) is removed. Current total: 3
2022-09-21 13:45:18 [1149] __fnbamd_ldap_dns_cb-Resolved DC1:PDC1.Dom.com to ::, cur stack size:0
2022-09-21 13:45:18 [246] fnbamd_dns_parse_resp-got IPv6 DNS reply, req-id=0x22e2
2022-09-21 13:45:18 [265] fnbamd_dns_parse_resp-req 0x2e2: wrong dns format, qr=1, opcode=0, qdc=1, ancount=0
2022-09-21 13:45:18 [35] __fnbamd_dns_req_del-DNS req 0x2e2 (0x9c9dbf0) is removed. Current total: 2
2022-09-21 13:45:18 [47] __fnbamd_dns_req_del-DNS maintainer stopped.
2022-09-21 13:45:18 [1149] __fnbamd_ldap_dns_cb-Resolved DC2:BDC1.Dom.com to ::, cur stack size:0
2022-09-21 13:45:18 [1107] __ldap_connect-tcps_connect(192.168.xxx.xx3) is established.
2022-09-21 13:45:18 [985] __ldap_rxtx-state 3(Admin Binding)
2022-09-21 13:45:18 [363] __ldap_build_bind_req-Binding to 'T01@Dom.com'
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 46 bytes to 192.168.xxx.xx3
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 1
2022-09-21 13:45:18 [985] __ldap_rxtx-state 4(Admin Bind resp)
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 14
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.xxx.xx3
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1052] __ldap_rxtx-Change state to 'DN search'
2022-09-21 13:45:18 [1107] __ldap_connect-tcps_connect(192.168.xxx.xx5) is established.
2022-09-21 13:45:18 [985] __ldap_rxtx-state 11(DN search)
2022-09-21 13:45:18 [750] fnbamd_ldap_build_dn_search_req-base:'OU=xxx,DC=Dom,DC=com' filter:sAMAccountName=u0test
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 86 bytes to 192.168.xxx.xx3
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 2
2022-09-21 13:45:18 [985] __ldap_rxtx-state 3(Admin Binding)
2022-09-21 13:45:18 [363] __ldap_build_bind_req-Binding to 'T01@Dom.com'
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 46 bytes to 192.168.xxx.xx5
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 1
2022-09-21 13:45:18 [985] __ldap_rxtx-state 12(DN search resp)
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 69
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 71, svr: 192.168.xxx.xx3
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1225] __fnbamd_ldap_dn_entry-Get DN 'CN=Test TU. User,OU=User,DC=Dom,DC=com'
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 14
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.xxx.xx3
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1052] __ldap_rxtx-Change state to 'User Binding'
2022-09-21 13:45:18 [985] __ldap_rxtx-state 5(User Binding)
2022-09-21 13:45:18 [596] fnbamd_ldap_build_userbind_req-Trying DN 'CN=Test TU. User,OU=User,DC=Dom,DC=com'
2022-09-21 13:45:18 [363] __ldap_build_bind_req-Binding to 'CN=Test TU. User,OU=User,DC=Dom,DC=com'
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 111 bytes to 192.168.xxx.xx3
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 3
2022-09-21 13:45:18 [985] __ldap_rxtx-state 6(User Bind resp)
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 102
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 104, svr: 192.168.xxx.xx3
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind
2022-09-21 13:45:18 [1009] fnbamd_ldap_parse_response-Error 49(80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 773, v3839)
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=49
2022-09-21 13:45:18 [1719] fnband_ldap_run_password_policy_sm-Prompt user to renew expired password.
2022-09-21 13:45:18 [1052] __ldap_rxtx-Change state to 'Admin Binding'
2022-09-21 13:45:18 [985] __ldap_rxtx-state 3(Admin Binding)
2022-09-21 13:45:18 [363] __ldap_build_bind_req-Binding to 'T01@Dom.com'
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 46 bytes to 192.168.xxx.xx3
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 4
2022-09-21 13:45:18 [985] __ldap_rxtx-state 4(Admin Bind resp)
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 14
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.xxx.xx5
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1052] __ldap_rxtx-Change state to 'DN search'
2022-09-21 13:45:18 [985] __ldap_rxtx-state 11(DN search)
2022-09-21 13:45:18 [750] fnbamd_ldap_build_dn_search_req-base:'OU=xxx,DC=Dom,DC=com' filter:sAMAccountName=u0test
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 86 bytes to 192.168.xxx.xx5
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 2
2022-09-21 13:45:18 [985] __ldap_rxtx-state 12(DN search resp)
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 69
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 71, svr: 192.168.xxx.xx5
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1225] __fnbamd_ldap_dn_entry-Get DN 'CN=Test TU. User,OU=User,DC=Dom,DC=com'
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 14
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.xxx.xx5
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1052] __ldap_rxtx-Change state to 'User Binding'
2022-09-21 13:45:18 [985] __ldap_rxtx-state 5(User Binding)
2022-09-21 13:45:18 [596] fnbamd_ldap_build_userbind_req-Trying DN 'CN=Test TU. User,OU=User,DC=Dom,DC=com'
2022-09-21 13:45:18 [363] __ldap_build_bind_req-Binding to 'CN=Test TU. User,OU=User,DC=Dom,DC=com'
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 111 bytes to 192.168.xxx.xx5
2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 3
2022-09-21 13:45:18 [985] __ldap_rxtx-state 4(Admin Bind resp)
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:18 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:18 [1127] __fnbamd_ldap_read-Read 14
2022-09-21 13:45:18 [1306] fnbamd_ldap_recv-Response len: 16, svr: 192.168.xxx.xx3
2022-09-21 13:45:18 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:bind
2022-09-21 13:45:18 [1023] fnbamd_ldap_parse_response-ret=0
2022-09-21 13:45:18 [1052] __ldap_rxtx-Change state to 'Change password'
2022-09-21 13:45:18 [209] fnbamd_comm_send_result-Sending result 2 (nid 0) for req 595406404, len=2148
2022-09-21 13:45:18 [1786] fnbamd_ldap_pause-
fam_auth_proc_resp:1359 fnbam_auth_update_result return: 2 (challenged)
2022-09-21 13:45:18 [1786] fnbamd_ldap_pause-
2022-09-21 13:45:18 2022-09-21 13:45:18 [1838] fnbamd_ldap_stop-Unbind 192.168.xxx.xx5
2022-09-21 13:45:18 [1083] fnbamd_ldap_send-sending 7 bytes to 192.168.xxx.xx5
2022-09-21 13:45:18 [353:root:5c]2022-09-21 13:45:18 [1096] fnbamd_ldap_send-Request is sent. ID 4
2022-09-21 13:45:18 [755] __ldap_destroy-
2022-09-21 13:45:18 [724] __ldap_stop-Conn with 192.168.xxx.xx5 destroyed.
2022-09-21 13:45:18 [1277] freeze_auth_session-

2022-09-21 13:45:28 [354:root:5c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
2022-09-21 13:45:28 [354:root:5c]req: /remote/logincheck
2022-09-21 13:45:28 [354:root:5c]rmt_web_auth_info_parser_common:504 no session id in auth info
2022-09-21 13:45:28 [354:root:5c]rmt_web_access_check:771 access failed, uri=[/remote/logincheck],ret=4103,
2022-09-21 13:45:28 [354:root:5c]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
2022-09-21 13:45:28 [354:root:5c]got checking id 1-7df00b04
2022-09-21 13:45:28 [354:root:5c]sslvpn_auth_check_usrgroup:2991 forming user/group list from policy.
2022-09-21 13:45:28 [354:root:5c]sslvpn_auth_check_usrgroup:3037 got user (0) group (19:0).
2022-09-21 13:45:28 [354:root:5c]sslvpn_validate_user_group_list:1870 validating with SSL VPN authentication rules (19), realm (wenzel).

2022-09-21 13:45:28 [354:root:5c]sslvpn_validate_user_group_list:2889 got user (0:0), group (1:0) peer group (0).
2022-09-21 13:45:28 [354:root:5c]sslvpn_update_user_group_list:1807 got user (0:0), group (1:0), peer group (0) after update.
2022-09-21 13:45:28 [354:root:5c]two factor check for u0test: off
2022-09-21 13:45:28 [354:root:5c]sslvpn_authenticate_user:191 authenticate user: [u0test]
2022-09-21 13:45:28 [354:root:5c]sslvpn_authenticate_user:205 create fam state
2022-09-21 13:45:28 [2317] handle_req-Rcvd chal rsp for req 595406404
2022-09-21 13:45:28 [1807] fnbamd_ldap_resume-DC1:PDC1.Dom.com, addr 192.168.xxx.xx3
2022-09-21 13:45:28 [1807] fnbamd_ldap_resume-DC2:BDC1.Dom.com, addr (null)
2022-09-21 13:45:28 [985] __ldap_rxtx-state 19(Change password)
2022-09-21 13:45:28 [1083] fnbamd_ldap_send-sending 116 bytes to 192.168.xxx.xx3
2022-09-21 13:45:28 [1096] fnbamd_ldap_send-Request is sent. ID 5
2022-09-21 13:45:28 [985] __ldap_rxtx-state 20(Change password resp)
2022-09-21 13:45:28 [1127] __fnbamd_ldap_read-Read 8
2022-09-21 13:45:28 [1233] fnbamd_ldap_recv-Leftover 2
2022-09-21 13:45:28 [1127] __fnbamd_ldap_read-Read 92
2022-09-21 13:45:28 [1306] fnbamd_ldap_recv-Response len: 94, svr: 192.168.xxx.xx3
2022-09-21 13:45:28 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:5, type:modify
2022-09-21 13:45:28 [1009] fnbamd_ldap_parse_response-Error 50(00000005: SecErr: DSID-031A11ED, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
)
2022-09-21 13:45:28 [1023] fnbamd_ldap_parse_response-ret=50
2022-09-21 13:45:28 [785] __ldap_done-svr 'DC1'
2022-09-21 13:45:28 [755] __ldap_destroy-
2022-09-21 13:45:28 [724] __ldap_stop-Conn with 192.168.xxx.xx3 destroyed.
2022-09-21 13:45:28 [209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 595406404, len=2148
2022-09-21 13:45:28 [800] destroy_auth_session-delete session 595406404
2022-09-21 13:45:28 [755] __ldap_destroy-
2022-09-21 13:45:28 2022-09-21 13:45:28 [755] __ldap_destroy-
fam_auth_proc_resp:1359 fnbam_auth_update_result return: 1 (invalue username/password)
2022-09-21 13:45:28 [1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC1' ctx
2022-09-21 13:45:28 2022-09-21 13:45:28 [1764] fnbamd_ldap_auth_ctx_free-Freeing 'DC2' ctx
[fam_auth_proc_resp:1458] Authenticated groups (1) by FNBAM with auth_type (16):
2022-09-21 13:45:28 [354:root:5c]Received: auth_rsp_data.grp_list[0] = 1780691056 
2022-09-21 13:45:28 [354:root:5c]login_failed:393 user[u0test],auth_type=16 failed [sslvpn_login_permission_denied]
2022-09-21 13:45:28 [354:root:0]dump_one_blocklist:94 status=1;host=xx.xxx.xxx.xx;fails=1;logintime=1663760728
2022-09-21 13:45:28 [354:root:5c]req: /remote/login?realm=wenzel&err=sslvpn_lo
2022-09-21 13:45:28 [354:root:5c]rmt_web_auth_info_parser_common:504 no session id in auth info
2022-09-21 13:45:28 [354:root:5c]rmt_web_get_access_cache:852 invalid cache, ret=4103
2022-09-21 13:45:28 [354:root:5c]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
2022-09-21 13:45:28 [354:root:5c]get_cust_page:123 saml_info 0
2022-09-21 13:45:28 [354:root:5c]req: /styles.css
2022-09-21 13:45:28 [354:root:5c]mza: 0x3140520 /styles.css
2022-09-21 13:45:28 [354:root:5c]2022-09-21 13:45:28 [344:root:5d]allocSSLConn:306 sconn 0x7f66640aef00 (0:root

 

 

 

 

greetings from DE

 

bpozdena_FTNT

It does not seem like a Fortigate issue. The password change request was rejected by your domain controller due to insufficient permissions. 

 

 

2022-09-21 13:45:28 [1009] fnbamd_ldap_parse_response-Error 50(00000005: SecErr: DSID-031A11ED, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
)

 

You should ensure your LDAP bind account (set username .....) has sufficient permissions to change user passwords.  You can test with a domain admin account to be sure.

 

Check MS documentation on what permissions are needed if you do not wish to use domain admin account. 

HTH,
Boris
TBC

Many thanks!

I have checked that and with admin rights it is possible.

Then I checked this one here:

Configuring least privileges for LDAP admin account, but that one is not working.

You chose to delegate control of objects
in the following Active Directory folder:

    Dom.com/XX/YYY/User

The groups, users, or computers to which you
have given control are:

    Fortiweb FU. User (xxx@Dom.com)

They have the following permissions:

    Change password
    Reset password
    Read lockoutTime
    Write lockoutTime
    Read pwdLastSet
    Write pwdLastSet
    Read userAccountControl
    Write userAccountControl

To use an Admin account to solve the problem is not the best.

Is there any other chance?

 

Thank you for helping

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors