Dear peope, please cooperate in this problem. You already have AD and fortigate LDAP configured correctly, but it happens to me only with a few random users that when they change the password, it expires sooner in the forticlient VPN, throwing error -7200, therefore the password must be re-entered without change option in AD and it works again. It is tested with a VPN account without LDAP and it connects, ruling out a VPN problem.
Does anyone know why this happens and how it can be solved. The configuration works correctly for everything else, but it only happens to me with 3 or 4 users at random.
Hi,
That is an interesting description. Note however that the FortiClient or FortiGate do not have influence on the password. It isn't stored and as such cannot expire; this is AD controlled and they might have some GPO valid for them that dictates a lower validity timer for the password.
Any authentication will always be fully tried against the FGT (from FortiClient viewpoint) and to LDAP (from FortiGate viewpoint). A response from LDAP about an expired password will then be plainly forwarded back the chain to the endpoint.
Alternatively it could be a misinterpretation, such that the error is not with an expired password but another error. -7200 is generic.
Debug on FortiGate can always help:
diag debug console timestamp enable
diag debug app fnbamd -1
diag debug app sslvpn -1
diag debug enable
Best regards,
Markus
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.