FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Debbie_FTNT
Staff
Staff
Article Id 323136
Description

 

This article describes how FortiTokens can end up in status 'Assigned' but with no associated user, and how to fix this.

 

Scope

 

FortiAuthenticator, FortiToken.

 

Solution

 

Under some circumstances, FortiTokens managed by FortiAuthenticator may end up in the state 'Assigned', but have no associated user, as in this screenshot:

 

assigned-token.PNG

 

This may happen under the following circumstances:

  1. Users are synced from remote LDAP or SAML and assigned a token via an LDAP or SAML attribute.

 

image.png

 

  1. A user is synced and is assigned an initial FortiToken.
  2. The assigned serial number set in the LDAP or SAML server changes.
  3. The same user is synced again. This causes two things:
  • The user's FortiToken is updated to the new serial number.
  • The old FortiToken remains in the status 'Assigned', but no longer belongs to any user.

 

This behavior is a reported issue with ID 923385 and has been fixed in firmware versions 6.4.8, 6.5.4, and 6.6.0, meaning tokens will no longer end up in the status 'Assigned' with no user.

 

However, tokens already in this state will not be automatically corrected.

There are three options to fix already affected tokens:

  • Unlock the tokens.
  • Delete them and add them to FortiAuthenticator again.
  • Open a ticket with FortiAuthenticator support; Support team members have tools available for greater access to the underlying database and can find and fix affected tokens more easily.