Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anbtoly
New Contributor

Created on ‎05-07-2024 12:01 PM

Windows error Forticlient script error access denied on SSO connect

Installed new version of Forticlient (vers 7.2.4.0972).

we setup up Azure SSO on fortigate v7.

when running connect on client .. getting pop up "Script Error"

(review screenshot)

script errorscript error

 

8972478d-04bf-4216-894b-cc78e2f10695.png

(error has occurred in the script on this page).

Error: Access denied.

code: 0

URL: about blank 

 

I have uninstalled and reinstalled application, on 2 different devices and same issue.

 

 

Can anyone assist?

 

 

Anthony Abela

Labels:
3491
6 REPLIES 6
jiahoong112
Staff
Staff

Created on ‎05-07-2024 05:50 PM

Please ensure that your SAML attributes are configured correctly on both Fortigate (SP) and on Azure (IDP) as they are very easy to misconfigure. To me, that looks like a potential issue during the saml redirection, not an issue with FortiClient.

You may find this useful: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Companion-for-troubleshooting-SSL-VP... 

Fortigate Azure sso configuration: https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co... 

https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial 

 

To get a better grasp of the issue at hand, please run these debugs:

# diag vpn ssl debug-filter src-addr4 x.x.x.x ==> x.x.x.x should be the public ip of the client devicethat is connecting: whatismyip.com
# diagnose debug application sslvpn -1

# diag deb app samld -1

# diag deb enable

 

-> Reproduce issue

 

To disable the debug:

# diag deb disable

# diag deb reset

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
3430
Brunn3r
New Contributor III

Created on ‎05-27-2024 02:04 AM

This Reddit post says, it is working with Version 7.2.3
https://www.reddit.com/r/fortinet/comments/1bhqgja/forticlient_script_error/

2985
Brunn3r
New Contributor III

Created on ‎05-27-2024 06:00 AM

I tested it this morning.
Script error appeared with Version 7.0.12 and 7.2.4 on Windows 11 (did work well on Windows 10).
After installation 7.2.3 on Windows 11, everything is working as expected.

2946
Reza-Ghazian
New Contributor

Created on ‎09-24-2024 06:17 PM Edited on ‎09-24-2024 06:25 PM

This error will happen if you are using a self-signed certificate for your VPN settings and you have applied the security baseline for Microsoft Edge on your devices.
I had the same issue for our clients and I found out the reason is because of the security baseline for Microsoft Edge which prevents users from proceeding from the HTTPS warning page. You can solve this issue in two ways:
1. Using a certificate issued by a certificate authority such as Certum, Godady and etc for VPN settings.
2. Enable the setting in Edge that "Allow users to proceed from the HTTPS warning page"
Screenshot 2024-09-25 110934.png 

1585
0 Kudos
Brunn3r
New Contributor III

Created on ‎11-14-2024 06:55 AM

Error still exists in V7.2.5

@Reza-Ghazian : i have a certificate which is issued by a public CA, still i got the error.

733
0 Kudos
Brunn3r
New Contributor III

Created on ‎11-18-2024 05:13 AM Edited on ‎11-18-2024 05:19 AM

Today i tested again with Version 7.2.5.
But this time, I added  <use_gui_saml_auth>1</use_gui_saml_auth> to the XML config file.

Details: https://docs.fortinet.com/document/forticlient/7.2.5/xml-reference-guide/858086/ssl-vpn
After this, the SSLVPN connection with the internal browser no more showed a script error. And also an authentication is required every time you login (this is the expected behavior). So there is a solution for SSLVPN and SAML authentication.

Unfortunately the script error still appears with IPSec VPN and SAML authentication (with internal browser). Even with the "Web sites in less privileged Web content zones can navigate into this zone" enabled the script error appears.

Anyone found a solution to get that working? Is there a re-authentication configuration similar to <use_gui_saml_auth> planned in future releases?

 

thanks

667
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.