Description
This article describes an issue encountered when upgrading to FortiAuthenticator v6.6.6.
Scope
FortiAuthenticator.
Solution
Before upgrading, FortiAuthenticator FSSOMA for Microsoft Entra ID–joined workstations were working correctly, following the FortiAuthenticator integration guide, FortiAuthenticator SSOMA for native Microsoft Entra ID joined workstation.
After upgrading to FortiAuthenticator v6.6.6, the following error has been observed in the FSSO debug logs:
10/09/2025 14:25:56 [E007E6C0] FCT 172.15.0.12: pending user FORTI.LAB/TEST.USER1 group lookup with tenant ID 5326461F-3DF4-458F-841C-EC1BDA3DD8AD
10/09/2025 14:25:56 [E007E6C0] FCT disconnected: 172.15.0.12
10/09/2025 14:25:56 [E0D186C0] OAuth [WARN]: session 'SAML-FAC-OAUTH' user group request failed, response code: 401
10/09/2025 14:25:56 [E0D186C0] OAuth [INFO]: session 'SAML-FAC-OAUTH' user group request failed, server returned error: InvalidAuthenticationToken (Signature is invalid.)
10/09/2025 14:25:56 [E0D186C0] OAuth [INFO]: session 'SAML-FAC-OAUTH' failed to get user groups, drop user FORTI.LAB/TEST.USER1
10/09/2025 14:25:57 [E0D396C0] FCT server accepting one connection from 172.15.0.22(sock 32)
10/09/2025 14:25:57 [E007E6C0] Threadpool FCT: thread reused: 0x7FBBE007E6C0
10/09/2025 14:25:57 [E007E6C0] FCT session SSL connection established (172.15.0.22)
10/09/2025 14:25:57 [E007E6C0] send HELLO
Symptoms:
-
Users from Microsoft Entra ID–joined devices fail to authenticate via FSSOMA.
-
The FSSO debug log shows InvalidAuthenticationToken (Signature is invalid.) errors.
-
Group lookup requests return HTTP 401 responses from the Entra ID OAuth endpoint.
Solution:
This is a known issue tracked under engineering ticket 1218489 and will be resolved in FortiAuthenticator versions 8.0.1.
