Hi JFKurz,

we have similar problems (just in the past few days). How did you solve the issue?

Thanks for answering

Hey cabby

- same questions as above, would be helpful to know the following:

- what firmware version is your FortiGate?

- what is the exact error message you see in Win AD?

- do you also use FSSO in addition to LDAP?

-> if yes, are you certain the error is caused by the LDAP connection, not the FSSO connection?

- do you have failed user logins in FortiGate User Event logs?

Hi,

FG-60F is on 7.0.5. FSSO is not enabled, and no we don't have failed user logons in the User event log. The error in the Windows security log is event id 4625, wrong username or password.

I was able to narrow down the issue, which is essentially caused by failed logon attempts to ssl vpn. We have lots of failed logon attempts, seems to be a bruteforce attack. The problem is: Each time the attacker tries a username that exists in the ActiveDirectory in the scope of the selected DN, there is a failed logon in the Active Directory. That's absolutely expected for users that are allowed to logon to ssl vpn, but this also happens with users that are not allowed to use ssl vpn. For example: we create an ad group ssl-users that has a couple of members. This group is added to a FortiGate Group SSLVPN, that is then used to allow sslvpn. No other AD-users are  configured or used on the Fortigate. The Domain Administrator is NOT a member of the ssl-users group. Now somebody i trying to logon to the ssl-vpn with wrong administrator credentials and a failed logon attempt is logged. And after an hour the account is locked in my AD.

Hi Debbie,

I have the same issue. 

-Firmware v6.4.9 build1966(GA)

-An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: pcihl\ldaplookup
Account Domain: SAMBA

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

-I haven't configure FSSO, but there are many FSSO event message in the event log.

Hey tamkamwai,

it looks a bit like FortiGate is trying to connect to AD, based on the log messages.

It's not called FSSO in the external connectors (though that is essentially what FortiGate is trying to accomplish). Do you have an External Connector set up to poll Active Directory (not FSSO Agent on Windows AD)?

If you have that polling connector set up, FortiGate would try to connect to the specified domain controller to read the event log, and would turn the login events it reads into FSSO logins by itself (without any of the agents usually involved in FSSO setup).

Depending on FortiGate firmware version, your AD setup, and patch status, there could be a mismatch due to some Microsoft updates or the username format.

You could try the following:

- change the username format in the external connector (strip off the domain part, or switch to UPN format)

- make sure your DC is patched, and FortiGate is in a new-ish version (6.4.5 at least, if I remember correctly)

If you don't actually want the FortiGate to poll the event logs on the domain controller, just delete the External Connector entry.