Fortinet Community

pollognr91 · ‎09-27-2023

Dear peope, please cooperate in this problem. You already have AD and fortigate LDAP configured correctly, but it happens to me only with a few random users that when they change the password, it expires sooner in the forticlient VPN, throwing error -7200, therefore the password must be re-entered without change option in AD and it works again. It is tested with a VPN account without LDAP and it connects, ruling out a VPN problem.

Does anyone know why this happens and how it can be solved. The configuration works correctly for everything else, but it only happens to me with 3 or 4 users at random.

Markus_M · ‎09-27-2023

Hi,

That is an interesting description. Note however that the FortiClient or FortiGate do not have influence on the password. It isn't stored and as such cannot expire; this is AD controlled and they might have some GPO valid for them that dictates a lower validity timer for the password.

Any authentication will always be fully tried against the FGT (from FortiClient viewpoint) and to LDAP (from FortiGate viewpoint). A response from LDAP about an expired password will then be plainly forwarded back the chain to the endpoint.

Alternatively it could be a misinterpretation, such that the error is not with an expired password but another error. -7200 is generic.

Debug on FortiGate can always help:

diag debug console timestamp enable

diag debug app fnbamd -1

diag debug app sslvpn -1

diag debug enable

Best regards,

Markus

Fortinet Community

forticlient password expires early on some AD users