FAC: Make sure you aren't blocking - directregistration.fortinet.com

Forum|Forum|6 years ago
October 28, 2019
1 reply
4813 views

Just a FYI, our FAC stopped being able to sync users from AD and adding them for FTKM assignment. Error showed:

FTM provision error: problem with SSL comm layer: server connection failed: SSL session failed Failed to assign remote LDAP user xxxxx @ xxxxx-DCs (xxx.xxx.xxx.10) with an available FTM token (FTKMxxxxxxxxxx) due to an activation error: Unable to provision token FTKMxxxxxxxxx: Unknown error.

Finally determined that FAC was hitting on our our MiTM/SSL Inspection outbound rules and Fortinet didn't like the cert interception. Moved the directregistration.fortinet.com host to one of our trusted hosts rule that doesn't have SSL inspection and it started working again.

We think the IP for this host was updated today but not sure.

xsilver_FTNT

Staff

thanks for sharing your case.

Yes, token activation is done over TLS and bidirectional cert verification and if that is forged, by any MiTM SSL inspecting proxy, then it will fail. That's expected outcome.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded