Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

forticlient password expires early on some AD users

Dear peope, please cooperate in this problem. You already have AD and fortigate LDAP configured correctly, but it happens to me only with a few random users that when they change the password, it expires sooner in the forticlient VPN, throwing error -7200, therefore the password must be re-entered without change option in AD and it works again. It is tested with a VPN account without LDAP and it connects, ruling out a VPN problem.

Does anyone know why this happens and how it can be solved. The configuration works correctly for everything else, but it only happens to me with 3 or 4 users at random.




That is an interesting description. Note however that the FortiClient or FortiGate do not have influence on the password. It isn't stored and as such cannot expire; this is AD controlled and they might have some GPO valid for them that dictates a lower validity timer for the password.

Any authentication will always be fully tried against the FGT (from FortiClient viewpoint) and to LDAP (from FortiGate viewpoint). A response from LDAP about an expired password will then be plainly forwarded back the chain to the endpoint.


Alternatively it could be a misinterpretation, such that the error is not with an expired password but another error. -7200 is generic.

Debug on FortiGate can always help:

diag debug console timestamp enable

diag debug app fnbamd -1

diag debug app sslvpn -1

diag debug enable



Best regards,



Top Kudoed Authors