When adding an authentication server in EMS I only ever get 1 domain even when the tenant has multiple domains registered and synced. These aren't subdomains but two different unique domains.
example1.com
example2.com
The only information I provide is the tenant ID, client ID, and secret. And then I only get 1 domain available for doing user to OU matching to assign policies.
How do I get all of the available domains that are synced in azure so I can can assign policies? Currently I have to create workgroups and assign the users to that either manually or with group assignment rules.
Solved! Go to Solution.
Hello,
In the earlier stages of 7.2.x we used to provide a workaround like described below.
This behavior changed after 7.2.3 due to a resolved issue over bug 953051.
Starting from version EMS 7.2.3 supports UPNs with different domain names rather than the imported one, as long as the SAML attributes contain the right user UPN.
https://docs.fortinet.com/document/forticlient/7.2.3/windows-release-notes/22791/resolved-issues
Hello aguerriero,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
ive done that already but there is the one server which refuses to allow logins from the 2nd domain. i also tried machine account password resets but same issue.
@AEK @ozkanaltas @sw2090 @pminarik do you have maybe an idea for this issue please?
Created on 08-14-2024 05:05 AM Edited on 08-14-2024 05:07 AM
EMS is not my strong suit, same for more advanced Azure AD/Entra ID configurations.
With that said, my personal gut-based expectation (which can be completely wrong!) would be something along the lines of creating two "enterprise applications", one under each domain/directory, and then creation of two "authentication servers" in EMS.
From my limited exposure, my understanding is that each directory would have a separate "tenant ID", hence why I'd expect two apps and two "auth servers".
I tried that but you can only put the tenant ID in one time. If you try to use it again the EMS says the tenant ID already exists.
Hello again aguerriero,
I will continue to have a look if we can help you further then :)
Thanks!
Are these "two domains" within one directory in Entra, or are each separate (in which case they should have separate IDs, I think?)?
Created on 08-14-2024 07:14 AM Edited on 08-14-2024 07:41 AM
It is two UPNS in one directory. The two domains exist as alternative UPN suffixes so only 1 tenant ID is required for azure/entra. The primary domain is
domain.local
The alternative UPNs for the domain are
domain1.com
domain2.com
When users try to verify with the alternate UPN domain1.com it works just fine, I guess since domain1.com is set as the default domain in azure and that is how EMS identifies it.
When users try to verify with the alternate UPN domain2.com it does not work even though all other aspects for that user in domain2 do work such as azure domain joins, email, logins, shares...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.