Description
This article describes possible reasons for Remote User Sync Rules on FortiAuthenticator not assigning two-factor authentication as expected.
Scope
FortiAuthenticator.
Solution
FortiAuthenticator can be used to synchronize users from remote LDAP servers.
This feature can also be used to automatically assign two-factor-authentication to users as they are synchronized to FortiAuthenticator, allowing bulk assignment and automated assignment for new users.
A guide on configuring remote user sync rules can be found in the FortiAuthenticator Administration Guide.
However, sometimes Remote User Sync Rules can appear to execute, but the Tokens that should be assigned are not actually added to members.
This can have multiple reasons:
- The user is already synchronized to FortiAuthenticator.
If the user(s) that should be assigned a Token via a Remote User Sync Rule already exist on FortiAuthenticator, then FortiAuthenticator skips them when the Sync Rule is executed and no token will be assigned.
The user(s) in question could have already been synchronized via the same Rule (if it was modified later to start assigning Tokens) or via a different Rule.
To fix this, remove the user(s) from FortiAuthenticator (Delete it under Authentication -> User Management -> Remote Users), then execute the Remote User Sync Rule.
Note: This case does not trigger any error message.
- There are no users matching the defined filter.
This will be visible in the logs after the Remote User Sync Rule is executed. There will be log messages to this effect:
date=2019-09-25 time=15:38:59+0000 oid=635 logid=30303 cat="Event" subcat="System" level="warning" nas="" action="" status="" msg="Sync rule "Forti-test" was aborted because LDAP server "Forti-test (10.5.25.99)" returned an empty result and enforce empty response is disabled. It is not clear whether this is an expected result or a misconfiguration. Please check your configuration." user=""
date=2019-09-25 time=15:38:58+0000 oid=634 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="No remote users found for sync rule "Forti-test" on remote LDAP server Forti-test (10.5.25.99)." user=""
- There is an issue with the Token getting assigned.
When a mobile, SMS or Email token should be assigned to the user during import, FortiAuthenticator requires a corresponding LDAP attribute, such as 'mail' or 'mobile', so the activation code can be sent or the proper email/mobile phone number can be set.
If a user lacks the required attribute, token assignment would fail, and thus these users are skipped when a Sync Rule is executed, and the users are not imported.
Users with the required attributes will still be imported.
This is also visible in logs:
date=2019-09-25 time=15:33:43+0000 oid=621 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="Unable to import valid token-based authentication for remote LDAP user marfortinet (rule: FortiTokenTest) @ Forti-test (10.5.25.99)." user="marfortinet"
date=2019-09-25 time=15:33:43+0000 oid=620 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="Cannot assign an FTM token to remote LDAP user marfortinet @ Forti-test (10.5.25.99) without a valid email address." user=""
- Other reasons.
Other issues can also be visible in the logs (Go to: Logging -> Log Access -> Logs) after a Remote User Sync Rule has executed.
Should Remote User Sync not assign Tokens when the above steps have been checked, contact Fortinet Technical Support or visit the Fortinet Community.
