Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
cborgato_FTNT
Staff
Staff

Created on ‎06-04-2019 02:05 AM Edited on ‎03-05-2025 09:53 AM By Community Manager

Article Id 194250

Technical Tip: FortiAuthenticator does not store AD password

Description


This article explains that FortiAuthenticator doesn’t store any passwords.

 

Scope

 

FortiAuthenticator.

Solution


Since firmware version v4.3, FortiAuthenticator offers users to change their AD passwords as required.

A few tickets have been raised about how FortiAuthenticator stores the password locally, scope of this article confirm that FortiAuthenticator is actually a proxy and doesn’t store password locally.

Example

The request for authentication goes to: FortiGate -> (RADIUS) -> FortiAuthenticator -> (Secure LDAP) -> AD Server

 

  1. Configure LDAP server in FortiAuthenticator, enable secure LDAP, and joined FortiAuthenticator to Windows AD domain.
  2. RADIUS client has been configured to 'Use Windows AD domain authentication'
  3. RADIUS authentication request uses MS-CHAPv2
  4. Enabled password renewal in RADIUS client on FortiGate:

 

config user radius
    edit "AD-RAD"
        set server "192.168.38.2"
        set secret fortinet
        set auth-type ms_chap_v2
        set password-renewal enable
    next
end

 

Possible experience behavior:

When user changes the password, for example (Password1) to a new one (Password2), right after the change, the user can still log successfully with the first password (Password1), after about a minute or so, then the user can only log in with the new password (Password2) as expected.

Explanation:

Such behavior might induct customer to think that FortiAuthenticator stores password locally and can be a cause of the delay on synchronization with new password between FortiAuthenticator and DC Server.

FortiAuthenticator does not store a copy of the password. It is just a proxy for the password validation against AD. Therefore, the explanation of such delay must be look for on the AD server side instead.

In the FortiAuthenticator firmware version of 6.6.0, FortiAuthenticator implements an authentication cache that also does not store the credentials, but rather the authentication state. This is done to improve performance for both the LDAP server and the FortiAuthenticator. See the documentation and release notes for the relevant information.

 

Note:

Check this article from Microsoft.

 

Related articles:

Technical Tip: How to allow LDAP user to change password at first logon or renew expired password vi...

Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired passw...

1351
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.