Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pollognr91
New Contributor

Created on ‎09-27-2023 09:13 AM

forticlient password expires early on some AD users

Dear peope, please cooperate in this problem. You already have AD and fortigate LDAP configured correctly, but it happens to me only with a few random users that when they change the password, it expires sooner in the forticlient VPN, throwing error -7200, therefore the password must be re-entered without change option in AD and it works again. It is tested with a VPN account without LDAP and it connects, ruling out a VPN problem.

Does anyone know why this happens and how it can be solved. The configuration works correctly for everything else, but it only happens to me with 3 or 4 users at random.

Labels:
1162
0 Kudos
2 REPLIES 2
Markus_M
Staff
Staff

Created on ‎09-27-2023 09:20 AM

Hi,

 

That is an interesting description. Note however that the FortiClient or FortiGate do not have influence on the password. It isn't stored and as such cannot expire; this is AD controlled and they might have some GPO valid for them that dictates a lower validity timer for the password.

Any authentication will always be fully tried against the FGT (from FortiClient viewpoint) and to LDAP (from FortiGate viewpoint). A response from LDAP about an expired password will then be plainly forwarded back the chain to the endpoint.

 

Alternatively it could be a misinterpretation, such that the error is not with an expired password but another error. -7200 is generic.

Debug on FortiGate can always help:

diag debug console timestamp enable

diag debug app fnbamd -1

diag debug app sslvpn -1

diag debug enable

 

 

Best regards,

 

Markus

1154
This-is-Vaclav
New Contributor

Created on ‎07-03-2024 01:19 AM

Hello, I have the same experience with AD accounts in our organization. Typically, a month before the password expires, logging in with FortiVPN stops working. It is something between 30 to 32 days. The domain has the original Microsoft settings for passwords without any GPO modifications. This happens to most users including users with the password never expires option.

603
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.