FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
PN
Staff
Staff
Article Id 357760
Description This article describes how to restrict access on FSSO TSAgentConfig.exe to a specific user/service account or user group.
By default Fortinet SSO Terminal Server Agent Configuration (TSAgentConfig.exe) can be accessed and configured by any user who have access to the Windows machine. However it is possible to configure access restrictions from the underlaying Windows OS.
Scope Windows OS, FSSO TSAgent.exe
Solution

After the installation of Fortinet SSO Terminal Service Agent is completed on Windows machine, to restrict access on TSAgentConfig.exe to a specific user/service account or user group :

  • Locate the TSAgentConfig.exe file under the path C:\Program Files (x86)\Fortinet.
  • Right-click on TSAgentConfig and select Properties.
  • In the 'TSAgentConfig Properties' window, select the 'Security' tab and then select the 'Advanced' button.

    Capture 1.JPG

     

  • In the 'Advanced Security Settings for TSAgentConfig' window, select the 'Disable Inheritance' button.

    Capture2.JPG

 

  • In the 'Block Inheritance' window, select 'Convert inherited permissions into explicit permissions on this object'.

    Capture3.JPG

     

     

  • Back in the 'Advanced Security Settings for TSAgentConf' window, it is now possible to remove unrelated user accounts or user groups. After removing required users, select 'Apply'.

    Capture4.JPG

 

  • At this point a required user group or specific user can be added by selecting 'Add' button.
  • In the new window 'Permission Entry for TSAgentConfig' select 'Select a principal'.

    Capture5.JPG

     

  • In the field 'Enter the object name to select' enter required user/service account or user group name. Validate username or user group by selecting 'Check Names' button, after successful validation the username or user group name will be underlined. Select 'OK' to close the window.

    Capture6.JPG

     

  • In 'Permission Entry for TSAgentConfig' window select required access rights for the user or user group that has been selected in previous step, then select 'OK'.

    Capture7.JPG

 

  • In the 'Advanced Security Settings for TSAgentConfig' window newly added user or user group and their access rights are visible. Select 'Apply', and 'OK'.

    Capture8.JPG

 

  • Same information as in previous step can be verified in 'TSAgentConfig Properties' window, select 'OK'.

    Capture9.JPG

     

  • At this step Access Restriction is completed.
  • To verify the restriction, login to windows machine where FSSO TS Agent has been installed, using a user account that is not member of the user group to which access rights has been granted earlier. By trying to access TSAgentconfig.exe, the following message should appear.

    Capture10.JPG