FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
aneshcheret
Staff
Staff
Article Id 195385

Description


This article describes how to use self-owned certificates for the FortiAuthenticator API and administrative access.
It also shows how to set up Microsoft Windows Agent and Outlook Web Access Agent to verify the server (FortiAuthenticator) certificate.


Scope


Microsoft Windows Agent.
Outlook Web Access Agent.

Solution


On the FortiAuthenticator, import the certificates via GUI:

Go to: Certificate Management -> End Entities -> Local Services.
Import server certificate issued for FortiAuthenticator.

 
Go to: Certificate Management -> Certificate Authorities -> Trusted CAs.
Import CA certificate which issued the above-mentioned server certificate.
 
 
 

Then, set up newly imported certificates for the API and administrative access:
Go to: System -> Administration -> System Access.

 

  • HTTPS Certificate (select imported server certificate).
  • CA certificate that issued the server certificate (select imported CA certificate which issued server certificate) - from version 6.6.0 this setting disappears and is no longer needed (an example is shown in the second picture).
JeanPhilippe_P_0-1717072643233.png

 


facowa.jpg              
Setting up verification of server certificate on FortiAuthenticator agents:
 
On Microsoft Windows Agent:
 

Download the CA certificate that issued the FortiAuthenticator’s server certificate to the PC.

  1. Go to: Agent Configuration -> General.
  2. Select 'Configure'.
  3. A new window will open. Go to: General.
  4. Check the option 'Verify Server Certificate'.

Fill out the 'Server Subject Name' (it needs to match with the server certificate issued for FortiAuthenticator).
 
 
On the Outlook Web Access Agent:
 
Download the CA certificate that issued the FortiAuthenticator’s server certificate to the PC.
  1. Go to: Agent Configuration -> General.
  2. Check the option 'Verify Server Certificate'.
    Fill out the 'Server Subject Name' (it must match the server certificate issued for FortiAuthenticator).
    Select the path where the CA certificate was downloaded for the 'CA Certificate file'.


     

 

The settings need to be considered and set in the following way:

  • Administrator Name: The admin account used to communicate and log in to FortiAuthenticator.
  • Rest API Key: This is not the admin account's password, but the web access key displayed once on FortiAuthenticator when enabling web access to the administrator account on FortiAuthenticator. The password is not acceptable.
  • Server Subject Name: The 'subject' of the certificate that belongs to the IIS web server.
  • CA Certificate File: The certificate that issued/signed the web server's certificate. That is the FILE of the certificate that created the server certificate.
  • Public Server Hostname: The hostname of the OWA server, reachable for clients from outside networks.
  • Internal Server Hostname: The hostname of this particular server where the agent is installed. Differs from the public server hostname if this is some load-balancing setup with another OWA server and must be resolvable to the server's IP.

The hostname MUST match the subject and/or SAN of the Server certificate.

OWA Path and Fortinet 2FA Path do not need to be adapted.