Hot!Force Fortiauthenticator to use another login to connect to AD

Author
AlexHelloworld
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/01 17:51:13
  • Status: offline
2019/10/17 23:54:10 (permalink)
0

Force Fortiauthenticator to use another login to connect to AD

I have installed new Fortiauthenticator 6.0.3, just finished basic network configuration and get access to the GUI. So first step i have configured remote LDAP to connect to the AD with the certain login and password. But in logs i have got an errors - "Failed to join Windows AD network: MYDOMAIN" and login there is - "Admin". Why it is trying to connect to remote LDAP as admin if I explicitly specified a specific username and password that not is Admin?

 I have setted up password in: Authentication -> Remote Auth Servers -> LDAP -> My Server -> Windows Active Directory Domain AUthentication
I have set  domain name, domain realm and domain NETBIOS name for the host, so there is i have setted up a login and password to connect to AD.
 
 

Attached Image(s)

#1

2 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5462
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Force Fortiauthenticator to use another login to connect to AD 2019/10/18 01:25:32 (permalink)
    0
    Do you have the machine joining of the domain ? Can you go to monitor >  Authentication and check that it's joined to the Windows AD > and The screen bock should show join. The cfg you posted is for that part of the authenticator.

    PCNSE 
    NSE 
    StrongSwan  
    #2
    xsilver
    Expert Member
    • Total Posts : 458
    • Scores: 103
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Force Fortiauthenticator to use another login to connect to AD 2019/12/13 07:54:39 (permalink)
    0
    For an LDAP to work you do not need to have "Windows Active Directory Domain Authentication" set. That's very useful for Kerberos auth used for EAP type of authentications, for example in 802.1x and WiFi clients.
     
    Another issue is that setting is not correct.
    - Kerberos Realm is usually domain, like whole domain, name .. like ALFA.EXAMPLE.COM
    - Domain NetBIOS name is also UPPERCASE and case sensitive .. in my example it would be  ALFA
    - then admin name is just 'username' no UPN, which seems to be OK in your case, just make sure that such admin is at least member of Domain Join allowed group, better Domain Admins or Administrators.
    Then it should work.

    Kind Regards,
    Tomas
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5