Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
mturic
Staff
Staff

Created on ‎09-26-2019 07:04 AM Edited on ‎09-23-2024 02:53 AM By Moderator

Article Id 190925

Troubleshooting Tip: FortiToken Mobile clock drift adjustment

Description

 

This article describes how to adjust Mobile FortiTokens for clock drift.

FortiAuthenticator logs (GUI -> Log Access -> Log Access > Logs) may show a message similar to the following:

 

Message Remote LDAP user authentication with FortiToken failed: token out of sync

 

If a user experiences clock drift, it may be the result of incorrect time settings on the mobile device. If so, make sure that the mobile device clock is accurate by confirming the network time and correct timezone.

If the device clock is set correctly, the issue could be the result of, for example, the FortiAuthenticator or FortiGate and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, selected Tokens can be manually drift adjusted.


Make sure to understand the reason for the synchronization issue. The tokens by default are time-based and valid for a window of 60 seconds. This means also that FortiAuthenticator or FortiGate as well as the FortiToken Mobile and FortiToken Hardware have a calculation that is based on time.

If the system time on the mobile changes, the current valid token changes. If the system time of FortiGate or FortiAuthenticator changes, the currently accepted Token changes. This is true for all users.

 

Scope

 

FortiAuthenticator.

Solution

 

The following procedure is intended to be used only in special cases where some FortiTokens are severely out-of-sync.


For example: when a Token is switched from manual configuration to NTP control, under normal circumstances, this is not required.

Only activated FortiTokens can be adjusted.

FortiAuthenticator.

 

 
  1. In a browser, append the URL of the FortiAuthenticator to look like the following:
  1. Select the FortiToken to adjust and select 'Adjust Drift'.
     
    mihediwa_0-1669916824541.png
     

     

  2. Enter the required Time adjustment in minutes:

     

    Include a minus sign (-) for a negative value. (A plus sign (+) is not necessary for positive values.)

    On the Drift/Counter column of the Fortitoken/s, when it is a plus (+) value (4), include a minus sign (-4) on the Time adjustment of the Adjust Token Drift popup to reset the counter to zero(0).

     

    However, for negative values (-4), a plus sign (4) is used in the Time adjustment of the Adjust Token Drift popup as well. Below is an example:

     

    mihediwa_1-1669919863971.png
    mihediwa_2-1669919885976.png

     

  3. Select 'OK' to adjust the Token drift by the specified time:

     

    One more way to fix this is to simply synchronize FortiToken codes displayed on the app with the FortiAuthenticator.
    GUI -> Authentication -> User Management -> Remote Users, select user, Test Token
    Test Token will ask for the correct code and, it will return a response like 'Token not in sync'.


    The next code will be requested: provide it. The response should be 'Token in sync'.
    The user should now be able to authenticate.
    If the token is changed for that specific user, the procedure must be repeated if the same different time settings between the client and FortiAuthenticator are used.

  4. Another method that would make the tokens likely to be accepted is to adjust the window of the currently accepted OTP under GUI -> Authentication -> User Account policies -> Tokens.
    For TOTP (time-based OTP, default) the window can be adjusted with 'TOTP authentication window size'. This measure should only be taken for workarounds since it will increase the likelihood of guessing a correct OTP in the timeline of the currently accepted OTP codes.

 

 

Capture12.JPG

 

FortiGate.
On the FortiGate, use the following diagnostic CLI commands:

 

diag fortitoken

info              <- Show current drift and status for each FortiToken.
tes               <- Test FortiToken with screen setting for drift of internal clock.

 

diag fortitoken info
FORTITOKEN       DRIFT  STATUS
FTKMOB88D218EC72 0      new
FTKMOB88DA72FE54 0      new

 

diag fortitoken test <FortiToken_ID> <token_code1> <next_token_code2>
<drift_screen_size>

 

To adjust or resynchronize FortiToken for drift, open a CLI connection to the FortiGate and use the following command:

 

exec fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>

 

Related documents:

FortiToken physical device and FortiToken Mobile.

Synchronizing FortiTokens (refers to hardware tokens kept in storage)

34591
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.