Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
simonz_FTNT
Staff
Staff

Created on ‎01-07-2025 12:07 AM

Article Id 368444

Troubleshooting Tip: Windows Agent 2FA manual token key in failed to login

Description

This article describes how to troubleshoot Windows Agent with 2FA manual token authentication error with no issue using Push Token.
Scope

FortiAuthenticator Windows Agent.
Solution

When performing simulation using the FortiAuthenticator Agent Configuration tool with manual OTP token and getting the below error under the message box:


Verification of user (labuser) OTP failed: VerifyOTP for user labuser failed: 401 Unauthorized


First, check the log file under C:\Program Files\Fortinet\FortiAuthenticator Agent\log with the name FAC_Agent.Service.ServiceHost_log will able to give more context information on the failure, in this case, observe the below error:

 

2024-12-21 12:56:39,918 [4652|  15|DEBUG] FAC_Agent.Service.Impl: Processing LoginRequest for: labuser in session: 0 reason: Login

2024-12-21 12:56:39,918 [4652|  15|DEBUG] TwoFactorAuthPlugin: Received domain: SYDAD, username: labuser

2024-12-21 12:56:39,918 [4652|  15|DEBUG] TwoFactorAuthPlugin: Attempting authentication for labuser

2024-12-21 12:56:39,918 [4652|  15|DEBUG] TwoFactorAuthenticator: Authenticate input pars: subj name: FAC-VM0A12xxxxxx, host: 10.56.244.176:443, nretries: 3,  timeout: 5, allow_on_fail: Block, verifycert: False, certfile: C:\Program Files\Fortinet\fortinet_ca.crt, admin name: rest_user, Preferred Server

2024-12-21 12:56:39,918 [4652|  15|DEBUG] RestAPI: Initializing RestApi hostname: FAC-VM0A12xxxxxx, host: 10.56.xxx.xxx:443, verifyCert: False, admin: rest_user

2024-12-21 12:56:39,918 [4652|  43|DEBUG] RestAPI: Calling (REALMAUTH)

2024-12-21 12:56:39,981 [4652|  15|DEBUG] RestAPI: VerifyOTP for user labuserfailed: 401 Unauthorized

2024-12-21 12:56:39,981 [4652|  15|DEBUG] TwoFactorAuthenticator: Verification of user (labuser) OTP failed: VerifyOTP for user labuser failed: 401 Unauthorized

2024-12-21 12:56:39,981 [4652|  15|ERROR] PluginDriver: Failed to authenticate labuser, Message: Verification of user (labuser) OTP failed: VerifyOTP for user labuser failed: 401 Unauthorized

 

From the log, the authentication process looks normal when it tries to authenticate labuser with FortiAuthenticator via Rest API but it gets '401 Unauthorized'. This error does refer to the permission issue, which should focus on the Rest API user account.

 

Make sure the Rest API user account User Role has Full Permission selected as shown in the below screenshot and do not use a pre-defined or custom admin profile as this will create the above issue.


rest_api_01.png

 

Refer to this article if getting a 403 Forbidden error: Troubleshooting Tip: Troubleshooting '403 Forbidden' Errors in FortiAuthenticator Agent for Windows ...
238
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.