FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
hpisharodi
Staff
Staff
Article Id 193327

Description


This article explains how to fix the FortiAuthenticator error:

 

  • Failed to join Windows AD network: Domain Name from the FortiAuthenticator logs.

 

100.png

 

Scope

 

FortiAuthenticator.

 

Solution

 

Configure Windows Active Directory Domain Authentication.

 

  • Go to Authentication -> Remote Auth. Servers -> LDAP -> Edit Remote LDAP Server

 

101.png

 

  • Enable Windows Active Directory Domain Authentication.
  • Set Kerberos's real name.
  • Set Domain NetBIOS name.
  • Set FortiAuthenticator NetBIOS name.
  • Set Administrator username. -> Domain Adminstrator.
  • Set Administraror password.

 

102.png

 

To know Kerberos's real name:

 

  • Go to Windows Server -> Server Manager -> Tools -> Active Directory Domains and Trust
  • The Active Directory domain names are listed.
  • The Active Directory domain name is also the corresponding Kerberos realm name and DNS domain name.

 

103.png

 

  • It is also possible to use the command 'set' in Windows CMD.

 

104.png

 

  • Or to use the command: 'echo %userdnsdomain%' in Windows CMD.

105.png

 

To know the Domain NetBIOS name.

 

  • Use the command 'set' in Windows CMD and identify: USERDOMAIN=
  • Or use the command: 'echo %userdomain%'

 

In summary, there are some ways to know Kerberos and NetBIOS information:

 

  • To Know Kerberos by Windows CMD type: echo %userdnsdomain%
  • To Know NetBIOS by Windows CMD type: echo %userdomain%

 

To know FortiAuthenticator NetBIOS name.

 

  • FortiAuthenticator NetBIOS name is FortiAuthenticator Hostname.

 106.png

 

  • FortiAuthenticator needs to have Internal DNS configured.
  • It is necessary to create an internal DNS Registry Host Type A with FortiAuthenticator Hostname and FortiAuthenticator IP.

  107.png

 

 
After complete configuration.
 
  • Go to Monitor -> Authentication -> Windows AD -> Should show Connection: joined domain, connected:

 

108.png

 

  • And logs show.

 

109.png

 

 

If there are still issues with joining, check/change the following:

  • Internal DNS is configured: go to System -> Networks -> DNS and set at least one internal DNS server.
  • FortiAuthenticator must be able to resolve and reach the domain to join.
  • The time/time zone is correct on the FortiAuthenticator and in sync with the DC, use the same NTP source on both if possible.
  • If there is a FortiAuthenticator computer account (or duplicates) on the DC (Active Directory Users and Computers, expand the domain, Computers), delete all of them, it will be recreated once the FortiAuthenticator joins the domain.
  • Make sure to use a domain admin account.
  • If there is a firewall between FortiAuthenticator and AD, for example a FortiGate,make sure that the domain join ports are not blocked. The ports used with Windows AD domain authentication are TCP/88, 135, 139, and 445.

 

Now the FortiAuthenticator should be joined to the domain, check Logging, Log Access, Logs.
If none of these help and joining the domain is still not possible, raise a ticket with TAC Support TEAM.

Related documents:
Troubleshooting Tip: How to work with FortiAuthenticator Technical Support

Policies