Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiAuthenticator on every sync resets the users to always have OTP


We upgraded to v6.4.6, build1043 (GA) and we notice that on every sync from AD in order to retrieve the users it always resets on ALL users the option to have Token enable.


What i mean is we have many users were the OTP is disabled for some reason (we use SMS service), like below, one user the OTP is disabled




Now on every sync which we increased for one hour to one day in order to manage the issue (from Edit Remote LDAP User Synchronization Rule) 



what is happening is that for ALL users the option ONE Time Password (OTP) Authentication (from the first picture) gets enabled again.

That was not the issue on the previous version.


How can we stop this from happening ?






New Contributor

Is there any update on this ?

It starts to be really annoying and time-consuming to return the settings on each user.


Please for your assist


Hi Vassilis,


could you post your remote user sync rule configuration? This is where the OTP would be set to enabled. When the user gets synchronized, then the user might get "corrected" again. If that was the case, we could maybe not import the users automatically, but manually, not update them. Usually the users do not really change membership or state, but of course, manual users need to be tracked as well. The user audit report can help on that (like a user hasn't been used since some days).


Best regards,




Hi Markus thanks for the reply. Here are the settings





Now if i understand the comment correct you are probably referring to the "SMS" setting. According to the yellow text box and what i understand from this is that the enabled setting means that it will sync the users from the group mention on the LDAP Filter ONLY for users who have the Mobile Number field



If i select None i have the impressions that it will sync ALL users on the security group mentioned in the LDAP Filter section regarding of mobile phone exists or not.


Cause i've seen it that it does not sync users that DO NOT have an mobile number.

I want to be very clear and i want to understand this.







Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors