- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: saml Azure AD - ssl-vpn - forticlient time out
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
saml Azure AD - ssl-vpn - forticlient time out
Hello,
I have configured our Fortigate to authenticate our ssl-vpn users with Azure AD. I've configured the enterprise app within Azure AD and configured the SAML user within the Fortigate.
I have no issues when I login the web-mode.
However when I try to connect with the Forticlient I receive a blank sceen after passing the authentication. After a while I receive the following error "Login page did not respond within time limit." The second time i press SAML Authentication the forticlient connects within seconds.
I reckon one of the URL's might be different for tunnel-mode / web-mode. Did anyone manage to find a solution for this issue?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. Just Azure-AD no other. Azure-ad is an Identity provider. Just make sure your fortigate has his firmware above 6.4.X.
I've written a blog post about it:
Ivo-Security - Fortigate and Azure AD: Safe remote access (ivo-security.blog)
I've also written a blog about the Azure-AD Dynamic Groups in combination with Fortigate:
Ivo-Security - Fortigate policy’s based on Azure Dynamic Groups (ivo-security.blog)
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got the same issue and Fortinet seems to think it is Microsoft not responding. I don't think so, because the logs on microsoft's side shows where response is sent. I think Fortinet has some work to do on their end.
I also get hit/miss activity when Azure users try to authenticate after doing MFA. Of course, Fortinet points the finger at Microsoft, but Microsoft has shown proof of response. I'm thinking the Forticlient needs to be fixed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to mention that I resolved the issue.
I changed the following setting on the Fortigate:
config system global set remoteauthtimeout 60 end
After that i could connect with the Forticlient
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can get fortigate to use AzureAD (not AzureAD Domain Services) as auth provider with just Fortigate on-premise? No FortiAuthentor or EMS or ....
?
?
Does this just come as part of setting up SD-WAN to Azure?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. Just Azure-AD no other. Azure-ad is an Identity provider. Just make sure your fortigate has his firmware above 6.4.X.
I've written a blog post about it:
Ivo-Security - Fortigate and Azure AD: Safe remote access (ivo-security.blog)
I've also written a blog about the Azure-AD Dynamic Groups in combination with Fortigate:
Ivo-Security - Fortigate policy’s based on Azure Dynamic Groups (ivo-security.blog)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WOOT!! I know what blog I will be reading (and what lab I will be setting up for testing) next week!!!
(Last time I looked at this it seemed to require LDAP which only was available through domain services or assumed a local domain controller with Azure AD connect or ADFS or something else keeping local Domain <-> AzureAD synced)
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NeilG wrote:Let me know if you need some help!WOOT!! I know what blog I will be reading (and what lab I will be setting up for testing) next week!!!
(Last time I looked at this it seemed to require LDAP which only was available through domain services or assumed a local domain controller with Azure AD connect or ADFS or something else keeping local Domain <-> AzureAD synced)
Thanks!
Goodluck!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AvK,
I have the same setup with Azure AD for SAML. Everything is working correctly with the exception of the first connection of the day where it stucks at 98%. Have you see this issue before? Fortinet Support asked me to give them some diagnostic out put but that will take awhile (first attempt this morning but forgot to toggle putty to output them all and missed the capture :))
If I left it there for about 10 minutes, then it will connect. Or if I disconnect and reconnect, then it will finish the connection.
Support think that it may cause by Azure AD cause when i shutdown my laptop, i didn't hit disconnect on the VPN and it may hold the session with Azure AD (doesn't make sense here).
let me known what you thought on this. Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cnguyen@mygenesisbank.com wrote:Hi AvK,
I have the same setup with Azure AD for SAML. Everything is working correctly with the exception of the first connection of the day where it stucks at 98%. Have you see this issue before? Fortinet Support asked me to give them some diagnostic out put but that will take awhile (first attempt this morning but forgot to toggle putty to output them all and missed the capture :))
If I left it there for about 10 minutes, then it will connect. Or if I disconnect and reconnect, then it will finish the connection.
Support think that it may cause by Azure AD cause when i shutdown my laptop, i didn't hit disconnect on the VPN and it may hold the session with Azure AD (doesn't make sense here).
let me known what you thought on this. Thanks.
It sounds familiar. I reckon you don't have the same issue on the web mode. The stuck on 98% is only happening when you use tunnel mode vpn?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to setup ADFS as SAML IdP to use FortiGate SSl VPN and see similar timeout problem as this thread. can anyone please help give me some comments about how to resolve it?
All the settings in my environment shall be done and I can complete the auth process on ADFS web page. But after the auth, the page stuck.
I checked the logs from CLI and see the log as below:
[237:root:b]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [237:root:b]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [237:root:b]got SNI server name: vpn.xxx.com realm (null) [237:root:b]client cert requirement: no [237:root:b]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]got SNI server name: vpn.xxx.com realm (null) [237:root:b]client cert requirement: no [237:root:b]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [237:root:b]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [237:root:b]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [237:root:b]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [237:root:b]req: /remote/info [237:root:b]capability flags: 0xdf [231:root:c]allocSSLConn:297 sconn 0x7f74cdfe00 (0:root) [232:root:c]allocSSLConn:297 sconn 0x7f74cdfe00 (0:root) [231:root:c]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [231:root:c]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [232:root:c][231:root:c]got SNI server name: vpn.xxx.com realm (null) SSL state:before SSL initialization (xxx.xxx.xxx.xxx) client cert requirement: no [231:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [232:root:c][231:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) got SNI server name: vpn.xxx.com realm (null) [231:root:c]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c][231:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) client cert requirement: no [232:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write change cipher spec (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [231:root:c]got SNI server name: vpn.xxx.com realm (null) [231:root:c]client cert requirement: no [231:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]got SNI server name: vpn.xxx.com realm (null) [232:root:c]client cert requirement: no [232:root:c]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 write encrypted extensions (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [231:root:c][232:root:c]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx) SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 write server certificate verify (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS write finished (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]SSL state:TLSv1.3 early data:system lib(xxx.xxx.xxx.xxx) [231:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [231:root:c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [231:root:c]req: /remote/saml/start?redirect=1 [231:root:c]rmt_web_auth_info_parser_common:468 no session id in auth info [231:root:c]rmt_web_get_access_cache:820 invalid cache, ret=4103 [231:root:c]fsv_rmt_saml_start_cb:227 FCT redirects to external browser. [231:root:c]sslvpn_auth_check_usrgroup:2635 forming user/group list from policy. [232:root:c]SSL state:TLSv1.3 early data (xxx.xxx.xxx.xxx) [232:root:c]SSL state:SSLv3/TLS read finished (xxx.xxx.xxx.xxx) [231:root:c]sslvpn_auth_check_usrgroup:2673 got user (1) group (1:0). [231:root:c]sslvpn_validate_user_group_list:1825 validating with SSL VPN authentication rules (1), realm ((null)). [231:root:c]sslvpn_validate_user_group_list:1906 checking rule 1 cipher. [231:root:c]SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [231:root:c]sslvpn_validate_user_group_list:1925 checking rule 1 source intf. [231:root:c]sslvpn_validate_user_group_list:1964 checking rule 1 vd source intf. [231:root:c]sslvpn_validate_user_group_list:2210 rule 1 done, got user (1:0) group (1:0) peer group (0). [231:root:c]sslvpn_validate_user_group_list:2538 got user (1:0), group (1:0) peer group (0). [231:root:c]sslvpn_update_user_group_list:1771 got user (1:0), group (1:0), peer group (0) after update. [232:root:c][231:root:c][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [adfs] in group [saml_sslvpn] SSL state:SSLv3/TLS write session ticket (xxx.xxx.xxx.xxx) [232:root:c]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 [231:root:c]req: /remote/saml/login/ [237:root:b]Timeout for connection 0x7f74cdfe00.
[237:root:b]Destroy sconn 0x7f74cdfe00, connSize=0. (root) [232:root:c]Timeout for connection 0x7f74cdfe00.
[232:root:c]Destroy sconn 0x7f74cdfe00, connSize=0. (root)
Related Posts
- FortiEMS / FortiClient / Azure 97 Views
- FortiGate SSL / Integration with Azure... 95 Views
- User Getting The server you want... 209 Views
- FortiClient Azure SSO VPN issues 106 Views
- FortiClient 7.2 - will not connect... 656 Views
Labels
-
FortiGate
6,498 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.