AuthPoint fail to start ldap binding

edited August 2023 in AuthPoint - General

I've setup AuthPoint, and it works with Office 365 but I've got this error whit VPN SSL in traffic monitor

admd admLocalLdapStart: ldap binding failed, msgId=-1, err=(null) Debug
admd ready to end authentication session with error code 48 Debug
wgcgi SSL VPN user username@AuthPoint from x.x.x.x was rejected - fail to start ldap binding. Debug
wgcgi User not authenticated Debug

I've made sure the group in FB was the same as in AuthPoint group

Wondering if someone can give me a hint before opening a case with WG.


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Doum88
    The firewall is unable to complete the bind operation (which is a login in LDAP, basically.)

    I would suggest checking your authentication logs for your AD domain (on AD itself) to see if there's a reason that the bind is being rejected by the server.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson
    The LDAP test success in the WebUI and nowhere in the doc it ask for a functional LDAP but I’ve double check my Active Directory integration and it works.

    The logs I’ve put in my first post are the only one related I see related to my issue.

    It’s strange MFA works with O365 but I got a BIND error for SSL VPN
  • james.carsonjames.carson Moderator, WatchGuard Representative

    The LDAP test in the webui is a simple bind from the firewall itself -- authpoint will attempt the bind from the gateway. They're two separate functions.

    If you're not able to determine the cause, I'd suggest a support case.

    -James Carson
    WatchGuard Customer Support

  • edited September 2022

    If the values are incomplete or incorrect, the Bind request fails and you see the LDAP binding not successful message in your log files. If you receive this error, look at your Active Directory server settings and make sure you have configured the Search Base and DN of Searching User text boxes correctly.

  • WG support found the issue. The Firebox DNS was pointing to an external DNS. Changing it for AD DNS fixes the LDAP Bind issue.

    1. Add the local DNS server to the Firebox global DNS settings (Policy Manager > Network Configuration > DNS/WINS or web UI > Network > DNS/WINS). Please make it the first DNS server on the list.
  • I'm looking to implement AuthPoint for SSLVPN on one of our WatchGuards. This particular device isn't our main office device, but on a separate network (with no connection to our corporate network.. and therefore no active directory communications.

    I've managed to setup AuthPoint for SSL VPN for a client that is 100% and user accounts synced from AzureAD before, but cannot get this scenario to work.

    Our AuthPoint accounts are synced from on-prem AD, but the firewall I'm trying to configure for AuthPoint VPN access isn't connected to the on-prem AD.

    Has anyone managed to achieve something similar?I have a feeling this isn't possible without creating AuthPoint based users and consuming more licenses.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Adrian_C

    If all you're trying to do is SSLVPN, creating another firebox or RADIUS resource for the SSLVPN should work with your existing users provided. It would use the LDAP gateway wherever that's installed to verify the users. So long as the group the SSLVPN is looking for is matched, it should work in theory.

    It gets a little more complicated if you're trying to use logon app, as the usernames will likely not completely match between domain and non-domain computers.

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    We are just looking to use the SSLVPN for this site. I have created a firebox resouce for this device in AuthPoint.

    but when I try to connect to the SSLVPN using the AuthPoint authentication server, I see an LDAP bind failed error in the AuthPoint audit log :(

  • james.carsonjames.carson Moderator, WatchGuard Representative

    LDAP bind failed means that the LDAP gateway is trying to reach out to the LDAP server and wasn't able to, or got an error response.

    If you're seeing an LDAP bind error code, your LDAP server might be rejecting logon attempts. I'd suggest checking the logs on the LDAP server itself as they may give you more information.

    -James Carson
    WatchGuard Customer Support

  • Hi James, but that is the thing, there is no LDAP server on the network with this firewalll that I'm trying to authenticate. the LDAP server is at head office.

    The LDAP bind errors are on the remote WG logs.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If you haven't already done so, I'd suggest opening a support case so one of our support reps can help. They will be able to get into more detail about your setup as well as look at your logs if needed.

    -James Carson
    WatchGuard Customer Support

This discussion has been closed.