Fortinet black logo

Administration Guide

FortiGate does not pick up UPN from certificate

FortiGate does not pick up UPN from certificate

The FortiGate looks at the certificate subject alternate name (SAN) field to identify the machine/computer name. If the wrong SAN attribute is used, the FortiGate returns an empty string in the following debug output:

[448] __cert_ldap_query-UPN = ''

Subsequently, the LDAP search filter is empty, and the LDAP lookup fails:

[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Review the correct setting to configure on the FortiGate (set account-key-upn-san <option>) and the SAN field to use on the certificate in FortiGate authentication configuration.

FortiGate does not pick up UPN from certificate

The FortiGate looks at the certificate subject alternate name (SAN) field to identify the machine/computer name. If the wrong SAN attribute is used, the FortiGate returns an empty string in the following debug output:

[448] __cert_ldap_query-UPN = ''

Subsequently, the LDAP search filter is empty, and the LDAP lookup fails:

[1718] fnbamd_ldap_init-search filter is: (&(userPrincipalName=)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Review the correct setting to configure on the FortiGate (set account-key-upn-san <option>) and the SAN field to use on the certificate in FortiGate authentication configuration.