Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

VPN SSL with AD password renewal - CA setting question

Hi all,


I have some doubts regarding this topic, so, any help will be appreciated.  We have a SSL VPN with AD authentication running on a 60E configured with LDAP, this is working fine but now we have to configure the password renewal setting so when the  active directory user password expires the user can change it by using forticlient when connects to the VPN. So, as far as I was reading for this to work you need LDAPS no just LDAP. But for LDAPS, you need a certificate, and for the certificate you need a CA. So, I was reading about deploying/configuring the CA role in our AD server ("how to") from Microsoft site, and then the doubt came to me since  I don't know if t there's a particular setting for Fortinet about this or the default settings as mentioned here will work:


On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (SHA2), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next.


Thanks in advance!

Not applicable

Hi Ger,

As per your query, you would need to have LDAPS for the SSLVPN for AD password renewal. The default settings that you have specified would work as well.

Also, I have attached a few links for your reference regarding configuration for a similar scenario. 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors