Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Sheikh
Staff
Staff

Created on ‎10-17-2022 12:58 AM Edited on ‎10-25-2022 04:19 AM By Staff

Article Id 226796

Technical Tip: Smart card PIN authentication with FortiAuthenticator Agent 4.x

Description This article describes how to allow Smartcard PIN authentication using FortiAuthenticator agent version 4.x.
Scope FortiAuthenticator Agent, Windows 10 & Windows 11.
Solution

In this case, FortiAuthenticator Agent 4.x is installed on Windows 10 or Windows 11.

 

Disable 'Permit Build-In Password providers' under 'Credential Provider Options' in FortiAuthenticator Agent settings. This setting works fine for login into Windows directly or via a remote desktop session.

 

'Disabling built-in password providers removes the Microsoft default logon mechanism, which precludes any user from being able to log in in the event that the FortiAuthenticator Agent malfunctions or prevents access to the system (possibly even in safe mode). We recommend having at least one exempt user with administrative access to allow you to bypass the FortiAuthenticator Agent in such situations.'

 

Sheikh_0-1665936652196.png

 

Now, in the case there is another application or website that requires a smart card or physical token authentication.

 

The following pop-up window will appear without showing an option to enter credentials.

 

Sheikh_1-1665936976007.png

 

In this scenario, it is necessary to make some entries in the Windows registry to allow the Windows pop-up to present an option to enter credentials.

  

On Windows 10 and Windows 11 Machines

 

Go to Windows registry and add the following entry: 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0\


Create a new STRING 'sz' value, with the name 'CredentialProvidersWhiteList' and then add the following entries:

 

{1b283861-754f-4022-ad47-a5eaaa618894}{C885AA15-1764-4293-B82A-0586ADD46B35}


It is also possible to add entries comma separated (adding a comma in between brackets).

 

{1b283861-754f-4022-ad47-a5eaaa618894},{C885AA15-1764-4293-B82A-0586ADD46B35}

 

If it does not work then, proceed as below:

 

Go to Windows registry and add the following entry:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0\


Remove the old entry and create a new STRING 'sz' value, with the name 'CredentialProvidersWhiteList' and then add the following Smart card PIN Provider GUID entry. 

 

{94596c7e-3744-41ce-893e-bbf09122f76a}

 

Otherwise, modify an existing 'CredentialProvidersWhiteList' STRING 'sz' and replace the existing entries with the value given above.

 

After creating the entry mentioned above, now when trying to access any website that requires smart card authentication or PIN access then the pop-up Window will be shown and prompt to enter credentials.

 

 

Sheikh_2-1665937109777.png

 

 

Related document:

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/fortiauthenticator-agent-for-microsoft-w...
977
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.