New Member

Question

FortiClient endpoint disconnects from EMS when a different user logs into the PC

Forum|Forum|1 year ago
June 1, 2025
2 replies
1840 views

I have an issue where the FortiClient endpoint disconnects from EMS when a different user logs into the PC.

I am using 7.4.3 build 1926

When installing FortiClient to the endpoint after entering the invitation code, it prompts for a username and password to complete the install. I have LDAP setup so I can use the credentials of the user of the PC or I can enter the domain admin and the install will complete and the endpoint connects to the EMS.

The problem I have is that if I later come back to that PC and need to login as a different user or a domain admin; maintenance, troubleshooting, etc.., the endpoint will disconnect from the EMS. No prompt or warning, I just notice it the next time I go look at the EMS for whatever reason and see the endpoint is not connected.

I opened a case with Fortinet and was told this is expected behavior if I RDP to the PC, but it doesn't matter if I RDP or login local, logging in as a different user will make the endpoint disconnect from the EMS. This can't be correct.

I manage a small number of PC's and it is a pain to have to constantly go reconnect the endpoint to the EMS. I can imagine a large deployment where users are constantly changing PC's having to keep up with this would be a full time job.

Maybe I didn't explain myself well enough to the Fortinet technician so he understands what I am asking. Does anyone else have any thoughts on this?

funkylicious

SuperUser

as far as i know and read/understood, the verification code is linked with the account/user that you sent to them in order to use it to connect if you selected invidual - here

you might want to try using bulk and just select LDAP/SAML as verification type.

"jack of all trades, master of none"

cbiggersAuthor

New Member

Thanks for taking the time to reply!

Are you saying the way I have my invitation code setup may be causing this? The invitation code I have been using with all my installs has the Type set to Bulk and the Verification Type set to Domain. Are you saying I need to change the Verification type to SAML?

When I set it up, I thought setting the Verification type to Domain would mean allow anyone in the domain to install the software.

Thanks again for your response!

funkylicious

SuperUser

no, i was stating that if you generated an invitation individually(individual) per user it might explain the behavior.

but if you used bulk and with verification type LDAP, then that might not be the issue.

do you have enforce user verification enabled under EMS settings ?

also, when you created the invite, did you select an internal or external for EMS in the invite ? ( or are you using a FQDN that resolves to an internal ip if a internal dns is queried or a public ip when a public dns server is used ? )

"jack of all trades, master of none"

DrDing_Muscle

New Member

Did you ever figure this out? I am having the same issue with EMS/FC 7.4.5.

funkylicious

SuperUser

maybe this will help, https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-behavior-in-an-endpoint-shared-with/ta-p/387376

"jack of all trades, master of none"

DrDing_Muscle

New Member

I understand that is what is happening but its terrible. We want user verification turned on for our endpoint users. The issue is we have machines that are also logged into by several engineers and those keep disconnecting. When we have user verification turned on for our end point users we can't then enable a no auth invitation code for those multiple use machines because user verification is either on or off for everybody. Once its on you cannot generate a no auth invitation code. That is the issue. Fortinet please make the verified user auth configurable for each profile and not an all or none thing.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded