Hawada1
Staff
Staff
Description This Article describes how to change LDAP password when FortiAuthenticator Windows Agent is installed with mobile push notification.
Scope How LDAP users can change their LDAP password using push notification with FAC Windows Agent is installed.
Solution

Consider that FortiAuthenticator Agent is already installed and communicating with FortiAuthenticator.

If not, check the below article and guide:


https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-agent-is-not-fetching-ava...

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/bb02bb94-dbf0-11ea-96b9-005056...

FAC workflow:

 

FAC ==== PC(FAC Agent)
||
(AD)

 

Prerequisites:

 

FortiAuthenticator.

 

- Create remote LDAP server connection (domain admin user used as bind username).
- Create remote sync rule and import some LDAP users.
- Assign token to user and allow push notification.

Windows 10:


- Install FortiAuthenticator  agent 3.7.
- Login to Windows using 2FA to verify push notifications.
- Press Ctrl+Alt+Del and select Change a password.


Hawada1_0-1640119083323.png
- Select 'Enter'.
- Wait for the push token page to appear.


Hawada1_1-1640119146096.png

- Approve push FortiToken notifications from the app.

Hawada1_2-1640119177882.png

 

The following log messages should appear in the Agent logs after changing the password:

 

2021-12-21 18:00:59,355 [3016|31|DEBUG] : [Credential.cpp:2129] Credential::GetOfflineCachePath: Offline Cache Path: C:\Program Files\Fortinet\FortiAuthenticator Agent\Offline\LABDC\tuser1

2021-12-21 18:00:59,371 [3016|32|DEBUG] : [Credential.cpp:1112] Credential::ReportResult ... Password change completed, resetting usage scenario.

2021-12-21 18:00:59,371 [3016| 8|DEBUG] : [Credential.cpp:1124] Credential::ReportResult: Password verified, perform post-logon actions

Note.

If Domain Controller Event logs is checked, it is possible to notice that an event 4723 stating that the password has been changed.

Make sure 'Minimum password age' in the GPO under 'Password Policy' is set to 0 days.

 

Hawada1_3-1640119259727.png