Troubleshooting Tip: Unable to log in using VDOM Admin account
Description
This article describes the issue of not being able to log in to FortiGate GUI using a VDOM Admin account.
Scope
FortiGate v7.0.x, v7.2.x, and all newer branches.
Solution
An Admin account is created and assigned to a certain VDOM, but upon trying to log in, a 'Login Incorrect' error message is displayed.
In HTTPS debug, the following output is seen, these debugs need to be enabled:
diag debug app saml -1 << Enable if there is SAML SSO-admin auth.
diag debug application fnbamd -1
diag debug app https -1
diag debug app https -1
diag debug console time enable
diag debug enable
Debut snippet:
[httpsd 16781 - 1728474781 info] fweb_debug_init[421] -- Handler "api_monitor_v2-handler" assigned to request
[httpsd 16781 - 1728474781 error] endpoint_process_req_vdom[1034] -- no access to VDOM "Fortivdom"
[httpsd 16781 - 1728474781 warning] api_return_http_result[1272] -- API error 403 raised
[httpsd 16781 - 1728474781 error] endpoint_process_req_vdom[1034] -- no access to VDOM "Fortivdom"
[httpsd 16781 - 1728474781 warning] api_return_http_result[1272] -- API error 403 raised
If assigned to the root VDOM, login is successful.
By default, if an Admin profile is created that is used for per VDOM access, the login will only be permitted if the interface (that the user tries to log into) belongs to one of the permitted VDOMs in the profile.
For example, user Peter belongs to a profile allows access to RED VDOM only.
If user 'Peter' accesses Port 1 IP which belongs to root VDOM, the user will not be able to access it as Port 1 is not part of RED VDOM.
This is expected behavior for FortiGate.
Related document: