The FortiGate looks at the certificate subject alternate name (SAN) field to identify the machine/computer name. If the wrong SAN attribute is used, the FortiGate returns an empty string in the following debug output:
 __cert_ldap_query-UPN = ''
Subsequently, the LDAP search filter is empty, and the LDAP lookup fails:
 fnbamd_ldap_init-search filter is: (&(userPrincipalName=)(!(UserAccountControl:1.2.840.1135220.127.116.113:=2)))
Review the correct setting to configure on the FortiGate (
set account-key-upn-san <option>) and the SAN field to use on the certificate in FortiGate authentication configuration.