IPSEC VPN - AD link broken with special caracters

Rdmusr

Hi,

We found a bug in usg flex 100h last firmware concerning ipsec vpn.

The authentication doesnt work if the username OR password contain "é" or "è".
We are using a standard microsoft ad, and i think a standard configuration on the firewall.
The work around is changing name and password but its kinda annoying.

Thanks

Zyxel_Melen

Hi @Rdmusr

Thank you for taking the time to report this.

After investigating, this is actually expected behavior rather than a firmware bug. Microsoft itself recommends using only standard ASCII (pure English) characters for Active Directory user accounts, as diacritic characters such as "é" or "è" can cause compatibility issues across various systems and protocols.

You can find more details in Microsoft's own documentation here:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/cannot-add-user-object-differ-by-diacritic-mark-character

Our IPSec VPN implementation follows this same guideline, which is why authentication fails when usernames or passwords contain accented characters.

The recommended solution is to ensure that AD accounts used for VPN authentication only contain standard English (ASCII) characters in both the username and password. We understand this may be inconvenient if many accounts are affected, but aligning with Microsoft's best practices will ensure the most reliable experience across all connected systems.