Installed new version of Forticlient (vers 7.2.4.0972).
we setup up Azure SSO on fortigate v7.
when running connect on client .. getting pop up "Script Error"
(review screenshot)
(error has occurred in the script on this page).
Error: Access denied.
code: 0
URL: about blank
I have uninstalled and reinstalled application, on 2 different devices and same issue.
Can anyone assist?
Anthony Abela
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Please ensure that your SAML attributes are configured correctly on both Fortigate (SP) and on Azure (IDP) as they are very easy to misconfigure. To me, that looks like a potential issue during the saml redirection, not an issue with FortiClient.
You may find this useful: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Companion-for-troubleshooting-SSL-VP...
Fortigate Azure sso configuration: https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co...
https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
To get a better grasp of the issue at hand, please run these debugs:
# diag vpn ssl debug-filter src-addr4 x.x.x.x ==> x.x.x.x should be the public ip of the client devicethat is connecting: whatismyip.com
# diagnose debug application sslvpn -1
# diag deb app samld -1
# diag deb enable
-> Reproduce issue
To disable the debug:
# diag deb disable
# diag deb reset
This Reddit post says, it is working with Version 7.2.3
https://www.reddit.com/r/fortinet/comments/1bhqgja/forticlient_script_error/
I tested it this morning.
Script error appeared with Version 7.0.12 and 7.2.4 on Windows 11 (did work well on Windows 10).
After installation 7.2.3 on Windows 11, everything is working as expected.
This error will happen if you are using a self-signed certificate for your VPN settings and you have applied the security baseline for Microsoft Edge on your devices.
I had the same issue for our clients and I found out the reason is because of the security baseline for Microsoft Edge which prevents users from proceeding from the HTTPS warning page. You can solve this issue in two ways:
1. Using a certificate issued by a certificate authority such as Certum, Godady and etc for VPN settings.
2. Enable the setting in Edge that "Allow users to proceed from the HTTPS warning page"
Error still exists in V7.2.5
@Reza-Ghazian : i have a certificate which is issued by a public CA, still i got the error.
Today i tested again with Version 7.2.5.
But this time, I added <use_gui_saml_auth>1</use_gui_saml_auth> to the XML config file.
Details: https://docs.fortinet.com/document/forticlient/7.2.5/xml-reference-guide/858086/ssl-vpn
After this, the SSLVPN connection with the internal browser no more showed a script error. And also an authentication is required every time you login (this is the expected behavior). So there is a solution for SSLVPN and SAML authentication.
Unfortunately the script error still appears with IPSec VPN and SAML authentication (with internal browser). Even with the "Web sites in less privileged Web content zones can navigate into this zone" enabled the script error appears.
Anyone found a solution to get that working? Is there a re-authentication configuration similar to <use_gui_saml_auth> planned in future releases?
thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.