Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
- Fortinet Community
- Knowledge Base
- FortiAuthenticator
- Troubleshooting Tip: Remote User Sync rules on For...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes possible reasons for Remote User Sync Rules on FortiAuthenticator not assigning two-factor authentication as expected.
Useful links:
Fortinet Documentation
Configure remote user sync rules: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/761964/configuring-remote-user...
Solution
FortiAuthenticator can be used to synchronize users from remote LDAP servers.
This feature can also be used to automatically assign two-factor-authentication to users as they are synchronized to FortiAuthenticator, allowing bulk assignment and automated assignment for new users.
However, sometimes Remote User Sync Rules can appear to execute, but the Tokens that should be assigned are not actually added to members.
This can have multiple reasons:
1) The user is already synchronized to FortiAuthenticator
If the user(s) that should be assigned a Token via a Remote User Sync Rule already exist on FortiAuthenticator, then FortiAuthenticator skips them when the Sync Rule is executed and no token will be assigned.
The user(s) in question could have already been synchronized via the same Rule (if it was modified later to start assigning Tokens) or via a different Rule.
This is especially prevalent if the user matches multiple filters defined in different Sync Rules.
To fix this, remove the user(s) from FortiAuthenticator (Delete it under Authentication -> User Management -> Remote Users), then execute the Remote User Sync Rule.
Note: This case does not trigger any error message.
2) There are no users matching the defined filter
This will be visible in the logs after the Remote User Sync Rule is executed; there will be log messages to this effect:
3) There is an issue with the Token getting assigned
If there are missing values for the users (like no defined email addresses), Token assignment will fail during Remote User Sync, and the users will not be added on FortiAuthenticator.
This is also visible in logs:
4) Other reasons
Other issues can also be visible in the logs (Go to: Logging -> Log Access -> Logs) after a Remote User Sync Rule has executed.
Should Remote User Sync not assign Tokens when the above steps have been checked, contact Fortinet Technical Support or visit the Fortinet Forums.
This article describes possible reasons for Remote User Sync Rules on FortiAuthenticator not assigning two-factor authentication as expected.
Useful links:
Fortinet Documentation
Configure remote user sync rules: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/761964/configuring-remote-user...
Solution
FortiAuthenticator can be used to synchronize users from remote LDAP servers.
This feature can also be used to automatically assign two-factor-authentication to users as they are synchronized to FortiAuthenticator, allowing bulk assignment and automated assignment for new users.
However, sometimes Remote User Sync Rules can appear to execute, but the Tokens that should be assigned are not actually added to members.
This can have multiple reasons:
1) The user is already synchronized to FortiAuthenticator
If the user(s) that should be assigned a Token via a Remote User Sync Rule already exist on FortiAuthenticator, then FortiAuthenticator skips them when the Sync Rule is executed and no token will be assigned.
The user(s) in question could have already been synchronized via the same Rule (if it was modified later to start assigning Tokens) or via a different Rule.
This is especially prevalent if the user matches multiple filters defined in different Sync Rules.
To fix this, remove the user(s) from FortiAuthenticator (Delete it under Authentication -> User Management -> Remote Users), then execute the Remote User Sync Rule.
Note: This case does not trigger any error message.
2) There are no users matching the defined filter
This will be visible in the logs after the Remote User Sync Rule is executed; there will be log messages to this effect:
date=2019-09-25 time=15:38:59+0000 oid=635 logid=30303 cat="Event" subcat="System" level="warning" nas="" action="" status="" msg="Sync rule "Forti-test" was aborted because LDAP server "Forti-test (10.5.25.99)" returned an empty result and enforce empty response is disabled. It is not clear whether this is an expected result or a misconfiguration. Please check your configuration." user=""
date=2019-09-25 time=15:38:58+0000 oid=634 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="No remote users found for sync rule "Forti-test" on remote LDAP server Forti-test (10.5.25.99)." user=""
3) There is an issue with the Token getting assigned
If there are missing values for the users (like no defined email addresses), Token assignment will fail during Remote User Sync, and the users will not be added on FortiAuthenticator.
This is also visible in logs:
date=2019-09-25 time=15:33:43+0000 oid=621 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="Unable to import valid token-based authentication for remote LDAP user marfortinet (rule: FortiTokenTest) @ Forti-test (10.5.25.99)." user="marfortinet"
date=2019-09-25 time=15:33:43+0000 oid=620 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="Cannot assign an FTM token to remote LDAP user marfortinet @ Forti-test (10.5.25.99) without a valid email address." user=""
4) Other reasons
Other issues can also be visible in the logs (Go to: Logging -> Log Access -> Logs) after a Remote User Sync Rule has executed.
Should Remote User Sync not assign Tokens when the above steps have been checked, contact Fortinet Technical Support or visit the Fortinet Forums.
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.