Unable to login to VPN if "Allow endpoint registration" is enable

Hello,

i am trying to implement FortiClient registration via SSL VPN. Here's my standard procedure that I use with other customers: - purchase FortiClient licenses for version 6.0 - inserting FGT licenses (if it is HA cluster, it is x2) - enable Endpoint Control - enable "Allow Endpoint Registration" in SSL settings - in Security Fabric settings add SSL Root ifacen to FortiTelemetry interfaces - check cfg sys iface -> edit ssl.root -> set fortiheardbeat enable Then I connect with FortiClient and it will automatically connect to telemetry on FGT. Then I can enforce Compliance, etc. BUT at one customer if I enable "Allow Endpoint Registration" in SSL Seting, I cannot connect to VPN accounts that are authenticated from AD using LDAP. An attempt always results in an incorrect username or password error (-12). When I try to connect to a local FGT account, everything is fine. However, the configuration of LDAP is the same for all customers and boxes (of course, different domain, user, passwd, address etc). I cannot explain it and I have no idea where to look for the problem. I compared SSL and LDAP configurations from several boxes and the mandatory settings are identical.   FortiOS 6.0.6, FCT 6.0.2-6.0.8, 100D, 201E, 81E. Problem is only at 100D in HA Thank you for any advice. Jirka