Skip to main content
aneshcheret
Staff
aneshcheret
Staff
September 5, 2019

Technical Tip: FortiAuthenticator Microsoft Windows Agent for OWA/IIS certificate and settings

  • September 5, 2019
  • 0 replies
  • 2910 views

Description


This article describes how to use self-owned certificates for the FortiAuthenticator API and administrative access.
It also shows how to set up Microsoft Windows Agent and Outlook Web Access Agent to verify the server (FortiAuthenticator) certificate.

Scope


Microsoft Windows Agent.
Outlook Web Access Agent.

Solution


On the FortiAuthenticator, import the certificates via GUI:
Go to: Certificate Management -> End Entities -> Local Services.
Import the server certificate issued for FortiAuthenticator.

 
Go to: Certificate Management -> Certificate Authorities -> Trusted CAs.
Import the CA certificate that issued the above-mentioned server certificate.
 
 

Then, set up newly imported certificates for the API and administrative access:
Go to: System -> Administration -> System Access.

 

  • HTTPS Certificate (select imported server certificate).
  • CA certificate that issued the server certificate (select the imported CA certificate that issued the server certificate). From version 6.6.0, this setting disappears and is no longer needed (an example is shown in the second picture).

 

JeanPhilippe_P_0-1717072643233.png

 


facowa.jpg              
Setting up verification of server certificate on FortiAuthenticator agents:
 
On Microsoft Windows Agent:
 

Download the CA certificate that issued the FortiAuthenticator’s server certificate to the PC.

  1. Go to: Agent Configuration -> General.
  2. Select 'Configure'.
  3. A new window will open. Go to: General.
  4. Check the option 'Verify Server Certificate'.

Fill out the 'Server Subject Name' (it needs to match the server certificate issued for FortiAuthenticator).
 
 
On the Outlook Web Access Agent:
 
Download the CA certificate that issued the FortiAuthenticator’s server certificate to the PC.
  1. Go to: Agent Configuration -> General.
  2. Check the option 'Verify Server Certificate'.
    Fill out the 'Server Subject Name' (it must match the server certificate issued for FortiAuthenticator).
    Select the path where the CA certificate was downloaded for the 'CA Certificate file'.
     

 

The settings need to be considered and set in the following way:

  • Administrator Name: The admin account used to communicate and log in to FortiAuthenticator.
  • Rest API Key: This is not the admin account's password, but the web access key displayed once on FortiAuthenticator when enabling web access to the administrator account on FortiAuthenticator. The password is not acceptable.
  • Server Subject Name: The 'subject' of the certificate that belongs to the IIS web server.
  • CA Certificate File: The certificate that was issued/signed by the web server's certificate. That is the FILE of the certificate that created the server certificate.
  • Public Server Hostname: The hostname of the OWA server, reachable for clients from outside networks.
  • Internal Server Hostname: The hostname of this particular server where the agent is installed. Differs from the public server hostname if this is some load-balancing setup with another OWA server, and must be resolvable to the server's IP.

The hostname MUST match the subject and/or SAN of the Server certificate.

OWA Path and Fortinet 2FA Path do not need to be adapted.

 

The following lines must be visible in FAC_IIS_Agent.LoginForm_log.txt when FortiAuthenticator Microsoft Windows Agent for OWA/IIS and FortiAuthenticator have successful REST API communication: 

 

2026-03-23 11:39:30,303 [(null)|134|DEBUG] RestAPI: Session xxxxxxxxxxlsctlqobqyvnkr: Validating server certificate with provided certificate.
2026-03-23 11:39:30,563 [(null)|174|DEBUG] RestAPI: VerifyOTP for user iisowa was successful: 200 OK

Terms & ConditionsAccessibility statement