Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎08-07-2024 04:18 PM Edited on ‎08-07-2024 04:23 PM

EMS Authentication Server with multiple domains

When adding an authentication server in EMS I only ever get 1 domain even when the tenant has multiple domains registered and synced. These aren't subdomains but two different unique domains.

example1.com
example2.com


The only information I provide is the tenant ID, client ID, and secret. And then I only get 1 domain available for doing user to OU matching to assign policies.

How do I get all of the available domains that are synced in azure so I can can assign policies? Currently I have to create workgroups and assign the users to that either manually or with group assignment rules.

 

Capture1232131.PNG

Labels:
1068
0 Kudos
1 Solution
Anil_Solakoglu
Staff
Staff

Created on ‎08-19-2024 02:30 AM

Hello,

 

In the earlier stages of 7.2.x we used to provide a workaround like described below.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Transforming-users-attributes-while-veri...

 

This behavior changed after 7.2.3 due to a resolved issue over bug 953051.

 

Starting from version EMS 7.2.3 supports UPNs with different domain names rather than the imported one, as long as the SAML attributes contain the right user UPN.

 

https://docs.fortinet.com/document/forticlient/7.2.3/windows-release-notes/22791/resolved-issues

View solution in original post

694
14 REPLIES 14
Jean-Philippe_P
Moderator
Moderator

Created on ‎08-10-2024 06:16 AM

Hello aguerriero, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
716
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎08-14-2024 12:13 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

 

Thanks,

Jean-Philippe - Fortinet Community Team
669
0 Kudos
haunglu
New Contributor

Created on ‎08-14-2024 01:48 AM

ive done that already but there is the one server which refuses to allow logins from the 2nd domain. i also tried machine account password resets but same issue.

10.0.0.0.1 192.168.1.254
10.0.0.0.1 192.168.1.254
656
0 Kudos
Jean-Philippe_P
Moderator
Moderator

Created on ‎08-14-2024 04:55 AM

@AEK @ozkanaltas @sw2090 @pminarik do you have maybe an idea for this issue please?

Jean-Philippe - Fortinet Community Team
643
0 Kudos
pminarik
Staff
Staff
In response to Jean-Philippe_P

Created on ‎08-14-2024 05:05 AM Edited on ‎08-14-2024 05:07 AM

EMS is not my strong suit, same for more advanced Azure AD/Entra ID configurations.

 

With that said, my personal gut-based expectation (which can be completely wrong!) would be something along the lines of creating two "enterprise applications", one under each domain/directory, and then creation of two "authentication servers" in EMS.

 

From my limited exposure, my understanding is that each directory would have a separate "tenant ID", hence why I'd expect two apps and two "auth servers".

[ corrections always welcome ]
635
aguerriero
Contributor II
In response to pminarik

Created on ‎08-14-2024 05:09 AM

I tried that but you can only put the tenant ID in one time. If you try to use it again the EMS says the tenant ID already exists.

629
0 Kudos
Jean-Philippe_P
Moderator
Moderator
In response to aguerriero

Created on ‎08-14-2024 06:55 AM

Hello again aguerriero,

 

I will continue to have a look if we can help you further then :)

 

Thanks!

Jean-Philippe - Fortinet Community Team
580
0 Kudos
pminarik
Staff
Staff
In response to aguerriero

Created on ‎08-14-2024 07:01 AM

Are these "two domains" within one directory in Entra, or are each separate (in which case they should have separate IDs, I think?)?

[ corrections always welcome ]
578
0 Kudos
aguerriero
Contributor II
In response to pminarik

Created on ‎08-14-2024 07:14 AM Edited on ‎08-14-2024 07:41 AM

It is two UPNS in one directory. The two domains exist as alternative UPN suffixes so only 1 tenant ID is required for azure/entra. The primary domain is

domain.local

 

The alternative UPNs for the domain are
domain1.com
domain2.com

 

When users try to verify with the alternate UPN domain1.com it works just fine, I guess since domain1.com is set as the default domain in azure and that is how EMS identifies it.

 

When users try to verify with the alternate UPN domain2.com it does not work even though all other aspects for that user in domain2 do work such as azure domain joins, email, logins, shares...

567
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.