FortiClient SSL VPN Error

VPN Error KB ID 0001795

Problem

I have a FortiGate/FortiClient test bench setup for testing, and its to been used for a while. When I attempted to use it this happened;

Unable to logon to the server. Your username or password may not be configured properly for this connection. (-12)

While messing around trying to fix it I also got this error;

Unable to establish the VPN connection. The VPN server may be unreachable. (-14)

Disclaimer: That second error can also be caused if the FortiClient is unlicensed (which you can clearly see, it is.) So this might be a red herring.

VPN Error: Solution

This took ages for me to fix. The common consensus is this is usually caused by a setting in the machines internet properties. Open an administrative command windows and run inetcpl.cpl The firs this I was asked to do was  > Advanced  >  Reset > Tick Delete Personal Settings > Reset.

Security > Trusted Sites (set slider to Medium) > Sites > Add in the URL my FortiClient was trying to reach, (yours will be a public IP or DNS name)  > Close.

Advanced Tab > Security > Tick Use SSL 3.0  > Apply > OK.

In my case all of these DID NOT solve my problem, I’ve seen strange errors with LDAP username and passwords, so I made sure the firewall could ping the FQDN of the LDAP server, and it successfully authenticated me (I’ve seen the GUI auth test work, and the command line one fail in the past).

Then I debugged the SSL VPN and got the following error;

Removed for tunnel connection setup timeout.

In the end I changed TWO things and it started to work. Firstly I uninstalled the FortiClient, and installed the latest version.

Secondly I looked at my SSL VPN Settings and noticed the group was set to a firewall group and NOT my LDAP (Active Directory) group. which I changed.

Other possible fixes I found on my trawl – that were not applicable to me;

  • Active Directory User Account (Account or Password Expired)
  • Theres no firewall policy for the SSL VPN Traffic (See this article).
  • Your AD password is using some ‘Odd Characters“, (test with an alphameric password).
  • Your AD user has “user must change the password on next login” enabled.
  • You’re trying to cone too eh SSL VPN fro BEHIND the FortiGate (not outside).

So this seems like a very generic error. If you come up with a different fix, or one that didn’t work for me, but worked for you. Please take the time to post below to help the next technical traveller.

Related Articles, References, Credits, or External Links

NA

Windows – Force into Safe Mode or”Cannot Boot into Safe Mode”

KB ID 0000521

Problem

With modern PC’s, the boot time is a LOT less than it used to be. There was a time when you would have a few seconds to press F8 when a Windows machine started and it would boot to “safe mode”. Now even with the reflexes of a fighter pilot, you are hard pushed to press the key before it says “Starting Windows”.

Solution

1. Boot Windows normally, and in the search/run box type msconfig, (or run from command line, whichever you prefer).

2. When msconfig opens select the boot tab > Select “Safe Boot” with the Minimal option selected > Apply OK > You will be asked to reboot.

3. The machine will now reboot into safe mode, when you have done what you need to do simply run msconfig again and Untick “Safe boot” >Apply > OK > Reboot.

Related Articles, References, Credits, or External Links

NA

Outlook Error – ‘One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this server’

KB ID 0000560 

Problem

Outlook will show you this error if you attempt to grant rights to a “distribution group” on an object for example, a public folder, or for calendar permissions.

You would think that converting the “Universal Distribution Group” to a “Universal Security Group” would solve this problem, but it does not.

Note: You may also see the following error, “an error occurred. Exception: Cannot use {Group_Name} as a security principal, Parameter name: secuirtyPrincipal.

Solution

1. First (I’m assuming) you ARE trying to add a security group that you have converted using the Active Directory Users and computers snap in like so, you will see I’ve got a Universal Distribution Group called “TestGroup”

2. To convert to a Universal Security Group simply change the group type and apply. (Note you will need to refresh the view in Exchange System Manager, before it reflects the correct group type as below).

3. But you will see, even though the type of group is correct you still see this error. (The more eagle eyed among you will see there’s a small error icon on the group type).

Why this has happened.

This has been a known problem since Exchange 2007. Essentially there’s an active directory attribute called “msExchRecipientDisplayType” that does not get changed properly when you convert the group using the GUI interface.

How to Fix it

Exchange 2007

Run the following Powershell command in the Exchange Management Shell;

[box]Set-Distributiongroup –identity {group name}[/box]

Exchange 2010

If you run that command on Exchange 2010, you will see the error (shown above)

“Members can’t remove themselves from security groups. Please set the group to Closed for requests to leave.”

You need to run the following Powershell command, in the Exchange Management Shell instead;

[box]Set-Distributiongroup–identity {group name} –MemberDepartRestriction Closed[/box]

Related Articles, References, Credits, or External Links

How to Create a Distribution Group in Exchange 2010 / 2007