Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Hawada1
Staff
Staff

Created on ‎12-21-2021 11:10 PM Edited on ‎12-22-2021 01:32 AM

Article Id 201689

Technical Tip: Change LDAP Password while FortiAuthenticator Windows Agent is installed with push notification

Description This Article describes how to change LDAP password when FortiAuthenticator Windows Agent is installed with mobile push notification.
Scope How LDAP users can change their LDAP password using push notification with FAC Windows Agent is installed.
Solution

Consider that FortiAuthenticator Agent is already installed and communicating with FortiAuthenticator.

If not, check the below article and guide:


https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-agent-is-not-fetching-ava...

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/bb02bb94-dbf0-11ea-96b9-005056...

FAC workflow:

 

FAC ==== PC(FAC Agent)
||
(AD)

 

Prerequisites:

 

FortiAuthenticator.

 

- Create remote LDAP server connection (domain admin user used as bind username).
- Create remote sync rule and import some LDAP users.
- Assign token to user and allow push notification.

Windows 10:


- Install FortiAuthenticator  agent 3.7.
- Login to Windows using 2FA to verify push notifications.
- Press Ctrl+Alt+Del and select Change a password.


Hawada1_0-1640119083323.png
- Select 'Enter'.
- Wait for the push token page to appear.


Hawada1_1-1640119146096.png

- Approve push FortiToken notifications from the app.

Hawada1_2-1640119177882.png

 

The following log messages should appear in the Agent logs after changing the password:

 

2021-12-21 18:00:59,355 [3016|31|DEBUG] : [Credential.cpp:2129] Credential::GetOfflineCachePath: Offline Cache Path: C:\Program Files\Fortinet\FortiAuthenticator Agent\Offline\LABDC\tuser1

2021-12-21 18:00:59,371 [3016|32|DEBUG] : [Credential.cpp:1112] Credential::ReportResult ... Password change completed, resetting usage scenario.

2021-12-21 18:00:59,371 [3016| 8|DEBUG] : [Credential.cpp:1124] Credential::ReportResult: Password verified, perform post-logon actions

Note.

If Domain Controller Event logs is checked, it is possible to notice that an event 4723 stating that the password has been changed.

Make sure 'Minimum password age' in the GPO under 'Password Policy' is set to 0 days.

 

Hawada1_3-1640119259727.png
743
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.