Description
This article describes how to join FortiAuthenticator to Windows AD with a non-administrator account configured with minimum privileges.
Scope
FortiAuthenticator.
Solution
A domain administrator account should not be used to associate FortiAuthenticator to be joined to Windows AD. Instead, create another user with minimum privileges accounts for FortiAuthenticator to successfully joined to Windows AD.
In the Active Directory create a user account with the following options:
- The user cannot change the password.
- The password never expires.
Under Active Directory Users and Computers, right-click the container under which the computers need to be added, then select Delegate Control.
The Delegation of Control Wizard opens.
Select Next.
Select Add, then enter the user 'test' account created before.
Select Next.
Select Create a custom task to delegate, then select Next.
Select Only the following objects in the folder, and then select Computer objects.
Select Create selected objects in this folder, then select Next.
Under Permissions, select Create All Child Objects, Write All Properties, and Change password.
Select Next, then select Finish.
In FortiAuthenticator, go under the Authentication-Remote Auth.
Select Server-LDAP and enable Windows Active Directory Domain Authentication and fill the fields with the details of the newly created user.
Note: While this is not related to the permissions of the account related, it is importantto add the Domains DNS server on FortiAuthenticator as the main DNS server as the domain join requires DNS. The following message may be seen:
Warning: The address of the Windows Active Directory (AD) server does not match the configured DNS server. While the DNS server doesn't always need to match the AD server, please ensure that FortiAuthenticator can resolve the AD server address. Otherwise, AD authentication will not function correctly.
The message may be normal, in cases where the DNS server is not matching the configured LDAP server IP. The intention behind the warning is to have the user ensure that the DNS server can resolve _ldap SRV records.
Under Active Directory under Computers, delete all old entries. Afterwards, try again to test with the new username.
Additionally, the minimum permissions for joining the stage computer on OU are:
- Reset Password.
- Write account restrictions.
- Write DNS hostname attributes.
- Read personal information.
- Write public information.
After successfully joining, the following can be seen from the GUI. Go to Monitor -> Authentication -> Windows AD.
