Technical Tip: LDAP connection status 'Strong(er) authentication required'

ychia · ‎10-05-2023

Description

This article describes how to fix the LDAP connection status 'Strong(er) authentication required'.

Under Users & Authentication -> LDAP Servers, 'double-click' on the LDAP server name, and the connection status is shown below:

Based on the logs:

2023-08-14 16:06:10 [987] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
2023-08-14 16:06:10 [1009] fnbamd_ldap_parse_response-Error 8(00002028: LdapErr: DS
ID-0C090276, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580) ---> Error sent by LDAP Server
2023-08-14 16:06:10 [1023] fnbamd_ldap_parse_response-ret=8
2023-08-14 16:06:10 [785] __ldap_done-svr 'Forti-LDAP'
2023-08-14 16:06:10 [755] __ldap_destroy-
2023-08-14 16:06:10 [724] __ldap_stop-Conn with 192.168.xxx.xxx destroyed.
2023-08-14 16:06:10 [216] fnbamd_comm_send_result-Sending result 1 (nid 0) for req1885254761, len=2148
2023-08-14 16:06:10 [789] destroy_auth_session-delete session 1885254761
2023-08-14 16:06:10 [755] __ldap_destroy-
authenticate 'it-administrator' against 'Forti-LDAP' failed!

Scope

FortiGate.

Solution

It is required to change the value of the parameter 'ldapserverintegrity' on the LDAP server, which must be equal to '1'.

Locate and then select the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
'Right-click' the LDAPServerIntegrity registry entry, and then select 'Modify'.
Change Value data to 1 (default is 2).
Select 'OK'.

In case of the requirement to have this parameter active, as Microsoft Document advises, it is required to have Secure Connection enabled and LDAPS configurated: