Technical Tip: FortiAuthenticator RestAPI user minimum privilege for IIS and Windows Agent

When using FortiAuthenticator Agents, either the IIS or the Windows Agent, FortiAuthenticator must permit access via RestAPI. This requires a RestAPI user on FortiAuthenticator with an administrator profile that has the 'Webservice Authentication' role set to Read-Write.

Administrator profiles can be created and edited under System -> Administration -> Admin Profiles.

The proof that the user is authenticated can be found in FAC_IIS_Agent.LoginForm_log.txt. 

The default FortiAuthenticator IIS\OWA Agent log location can be found in the exchange server under C:\Program files\Fortinet\FortiAuthenticator IIS Agent\Web\bin\log.

2026-02-08 21:31:11,378 [(null)|13|DEBUG] RestAPI: Session iiaxiaz000000000rwq1l0y: Initializing RestApi hostname: FAC-VM00000000, host: fac.test.local, verifyCert: False, admin: admin
2026-02-08 21:31:11,384 [(null)|13|DEBUG] Login: Realm (TEST) is found for Domain (test)
2026-02-08 21:31:11,406 [(null)|18|INFO ] RestAPI: Session iiaxiaz000000000rwq1l0y: Calling (PUSH) asynchronously
2026-02-08 21:31:15,747 [(null)|5|DEBUG] RestAPI: Push Notification API returned True 200 OK

2026-02-08 21:31:16,225 [(null)|13|DEBUG] Login: Session iiaxiaz000000000rwq1l0y: Push API returned success for user (test\admin.test)