- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows error Forticlient script error access denied on SSO connect
Installed new version of Forticlient (vers 7.2.4.0972).
we setup up Azure SSO on fortigate v7.
when running connect on client .. getting pop up "Script Error"
(review screenshot)
(error has occurred in the script on this page).
Error: Access denied.
code: 0
URL: about blankā
I have uninstalled and reinstalled application, on 2 different devices and same issue.
Can anyone assist?
Anthony Abela
- Labels:
-
FortiClient
-
SSL-VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please ensure that your SAML attributes are configured correctly on both Fortigate (SP) and on Azure (IDP) as they are very easy to misconfigure. To me, that looks like a potential issue during the saml redirection, not an issue with FortiClient.
You may find this useful: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Companion-for-troubleshooting-SSL-VP...
Fortigate Azure sso configuration: https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co...
https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
To get a better grasp of the issue at hand, please run these debugs:
# diag vpn ssl debug-filter src-addr4 x.x.x.x ==> x.x.x.x should be the public ip of the client devicethat is connecting: whatismyip.com
# diagnose debug application sslvpn -1
# diag deb app samld -1
# diag deb enable
-> Reproduce issue
To disable the debug:
# diag deb disable
# diag deb reset
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This Reddit post says, it is working with Version 7.2.3
https://www.reddit.com/r/fortinet/comments/1bhqgja/forticlient_script_error/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested it this morning.
Script error appeared with Version 7.0.12 and 7.2.4 on Windows 11 (did work well on Windows 10).
After installation 7.2.3 on Windows 11, everything is working as expected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This error will happen if you are using a self-signed certificate for your VPN settings and you have applied the security baseline for Microsoft Edge on your devices.
I had the same issue for our clients and I found out the reason is because of the security baseline for Microsoft Edge which prevents users from proceeding from the HTTPS warning page. You can solve this issue in two ways:
1. Using a certificate issued by a certificate authority such as Certum, Godady and etc for VPN settings.
2. Enable the setting in Edge that "Allow users to proceed from the HTTPS warning page"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error still exists in V7.2.5
@Reza-Ghazian : i have a certificate which is issued by a public CA, still i got the error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Today i tested again with Version 7.2.5.
But this time, I added <use_gui_saml_auth>1</use_gui_saml_auth> to the XML config file.
Details: https://docs.fortinet.com/document/forticlient/7.2.5/xml-reference-guide/858086/ssl-vpn
After this, the SSLVPN connection with the internal browser no more showed a script error. And also an authentication is required every time you login (this is the expected behavior). So there is a solution for SSLVPN and SAML authentication.
Unfortunately the script error still appears with IPSec VPN and SAML authentication (with internal browser). Even with the "Web sites in less privileged Web content zones can navigate into this zone" enabled the script error appears.
Anyone found a solution to get that working? Is there a re-authentication configuration similar to <use_gui_saml_auth> planned in future releases?
thanks