Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff
Staff

Created on ‎10-15-2024 05:39 AM

Article Id 349519

Technical Tip: FortiNAC Domain join using account with minimum permissions

Description This article describes the minimum required permissions for a non-administrative account, in order to join FortiNAC to the Active Directory domain.
Scope FortiNAC.
Solution
  1. In Active Directory User and Computers, create a User account that will be used for the join process.

Check the settings:

  • 'User cannot change the password'.
  • 'Password never expires'.

 

Figure 1. Create the user account to perform the domain join.Figure 1. Create the user account to perform the domain join.

 

  1. Delegate Control on the specific OU where the FortiNAC computer object should be moved.

     

    In this example, it is required to add the FortiNAC computer object in the 'Computers' container. However, this location can be any other custom-created OU.

    'Right-click' the container 'Computers' and select 'Delegate Control'.

     

    Figure 2. Select Container where the FortiNAC object will be created after the Join process.Figure 2. Select Container where the FortiNAC object will be created after the Join process.

     

  2. Select the User to delegate control.

    After typing the user, select 'Check Names' so it is found and properly added.

     

    Figure 3. Add the user account to delegate control.Figure 3. Add the user account to delegate control.

     

    After that select OK -> Next and then select 'Create a custom Task to delegate'.

     

  3. Define the Scope of Delegation.

    Allow control only on Computer Objects.

     

    Figure 4. Delegate control only to Computer Objects.Figure 4. Delegate control only to Computer Objects.

     

     Select Next to proceed to the Permission selection tab.

     

  4. Apply the permissions.

     

    Select the following permissions:

     

    • Create all Child Objects.
    • Write All properties.
    • Change Password.
    • Reset Password.

     

    Figure 5. Select the minimum required permissions for Domain Join.Figure 5. Select the minimum required permissions for Domain Join.

     

  5. Perform the domain join process in FortiNAC Network -> RADIUS -> WINBIND.

     

Follow this article to correctly perform the domain join process and configure Winbind:

Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks

 

Permission Errors:

 

On some situations, when performing the domain join process from FortiNAC in step 6, the following error might be returned from LDAP:

 

CLI error logs in FortiNAC output.master file :

 

yams.WinbindPlatformService SEVERE :: 2024-10-15 14:06:04:998 :: #7258 :: Error joining domain [FORTIDC] (FORTI\test4):
ads_print_error: AD LDAP ERROR: 50 (Insufficient access): 00000005: SecErr: DSID-031A11CF, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Failed to join domain: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)

 

GUI error:

 

Figure 5. Permissions issue when attempting Domain join of FortiNAC.Figure 5. Permissions issue when attempting Domain join of FortiNAC.

 

This error shows that the user account is missing the permissions to perform the domain join.

This issue can also be presented when FortiNAC is already joined to the Domain as an object and a new account is being used to re-perform the join process. In such cases, the error will be presented if the 'Reset password' permission is not included in the User permission list.

 

Related articles:

Troubleshooting Tip: Local Winbind configuration fails to start

Technical Tip: Create and use a Keytab file to join FortiNAC in the domain

Troubleshooting Tip: Failed to add Winbind to FortiNAC due to SPNEGO bind with Kerberos failure

Technical Tip: How to change Winbind files in FortiNAC to resolve errors in joining the FortiNAC to ...
248
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.