| Description | This article describes an issue where FortiGate always shows the first PKI admin name as the logged-in admin when multiple PKI admin accounts are configured. |
| Scope | FortiGate. |
| Solution |
In this example, two PKI admin users 'user1' and 'user2' are configured under the same group, as shown below:
config user peer config user group config system admin edit "user1"
However, when user2 logs into the GUI, FortiGate shows that user1 is logged in.
get system admin list
System Event log shows user1 despite CN = user2
date=2025-11-20 time=20:46:25 eventtime=1763700385414505817 tz="-0800" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1763700385" user="user1" ui="https(192.168.x.x)" method="https" srcip=192.168.x.x dstip=192.168.x.x action="login" status="success" reason="none" profile="super_admin" msg="Administrator user1(C = CA, ST = Ontario, L = Ottawa, O = Fortinet, CN = user2) logged in successfully from https(192.168.x.x)"
It is an expected behavior because access rights/permissions are assigned to PKI admin accounts under 'config system admin' and not to peer users under 'config user peer', and if PKI admin accounts share the same peer group, there is no way for the system to decide which admin user should be matched.
To resolve this issue, put each PKI user in a separate user group. For example:
config user group edit "PKI_ADMIN" config system admin edit "user1"
After that, FortiGate will show the correct logged-in PKI user.
Related articles: Technical Tip: Configure admin certificate authentication Technical Tip: PKI peer user/usergroup creation for certificate authentication |
