I am using Fortclient 7.0.8.427 using Azure SAML for sign-in.
All works except for some users, when authenicating, they get the option to click on thier email address from the In Browser window that appears.
For others, the have to always enter in their email address.
Has anyone seen this?
Checked Credential Manager and cleared out the cache in MS Egde the default browser but no success.
Has anyone seen this?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.
Hi @Icebun,
Can you try to use external browser for authentication. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/364443/using-a-browser-as-an...
Regards,
Minh
Hi @Minh
Thanks for the response.
I did see the option to use a browser as an external agent within EMS itself, which I presume stands a better chance of caching the email address part of the credentials. Is that right?
Looking at the information sent, this looks like it will need changes at the Fortigate FW as well?
Is that true? If so, how can I test this as we have a large number of VPN users and do not want to change the behaviour if I am not successful (as some users works fine and there email address caches ok).
Is there no other way?
Hi @Icebun,
This option is configured on Client not on FortiGate. You can download VPN only version on test machine and configure VPN instead of pushing using EMS. Also, in FortiClient setting, there is an option call "do not modify internal browser cookies", can you try that before using external browser?
Regards,
Minh
Thanks @Minh
On my EMS managed Forticlient, I am unable to place a check box on the option "Do not modify internal browser cookies".
Are there settings within EMS Server Manager (or even the Registry) that controls this option please? I could not seem to find it I am afraid.
Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.
@mle2802 sorry to be a pain.
Can I presume it will be in the XML code for the VPN profile as follows by way of example:
<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>2</dnscache_service_control>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<no_dns_registration>0</no_dns_registration>
<dont_modify_cookies>1</dont_modify_cookies>
</options>
that is correct
Hi @mle2802 this seems to have worked on my test environment.
One more thing. I do not suppose you know at what point the cookie will eventually expire causing the user to re-authenticate with their credentials?
Hey Icebun - this depends entirely on Azure and your IdP settings there, I believe.
You might see the information in the metadata, as outlined here: https://learn.microsoft.com/en-us/answers/questions/1103098/azure-ad-b2c-custom-policy-saml-token-li...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.