Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Happii
New Contributor II

Created on ‎02-10-2025 08:55 PM Edited on ‎02-11-2025 12:06 AM

"Enforce User Verification" won't work when FortiClient connect/register using FQDN

Hi everyone,

 

The ZNTA on my FortiClient EMS working well with SAML verification user and invitation codes. However, we got problem on connecting using the FQDN.

- With unchecked "Enforce User Verification", the FortiClient using FQDN connect to EMS successfully without any SAML login (insecure as we adopt off-net workstation).

- With checked "Enforce User Verification", the FortiClient using FQDN doesn't connect to EMS. The error message is about the connection require invitation code.

 

if you made FQDN connection with user verification successfully, please kindly advise what is wrong or missing in my configuration setup.

 

Thanks so much.

Labels:
603
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎02-11-2025 03:28 AM

Hi Happii

It was successful for me, FCT EMS 7.4.x.

When you create the invitation you specify the FQDN in "EMS Listen Address", not the IP address. Then you re-send the invitation so the client uses the invitation code that was created based on FQDN.

AEK
AEK
568
Happii
New Contributor II

Created on ‎02-12-2025 02:43 AM

Hi AEK, thanks for your sharing. we did configuration the same but won't work. have no idea what's wrong.

Screenshot 2025-02-12 173720.png

534
0 Kudos
AEK
SuperUser
SuperUser
In response to Happii

Created on ‎02-12-2025 03:15 AM

Hi Happii

You enter the invitation code instead of hostname:port.

Did you generate an invitation? (EMS > invitation menu at top-right).

AEK
AEK
521
Happii
New Contributor II
In response to AEK

Created on ‎02-12-2025 03:43 AM

Hi EAK, invitation was working well with me. But wonder why it was working with hostname:port (the FQDN) with my configuration. Fortinet's document wrote it would work both cases. That was my wonder and seeking for help.

 

515
0 Kudos
AEK
SuperUser
SuperUser
In response to Happii

Created on ‎02-12-2025 03:47 AM

As far as I remember if you want hostname:port works, I think the host must be pre-registered. It means in EMS you import it first from your AD.

Last time I used EMS was about one year ago, so hope I'm not wrong.

AEK
AEK
510
Happii
New Contributor II
In response to AEK

Created on ‎02-12-2025 03:57 AM

Thanks AEK, the endpoint has registered using the invitation code successfully. After that disconnect, then reconnect using FQDN but failed if we keep the User Verification option activated.

 

Could you please elaborate pre-register host you have done year ago? thanks.

501
0 Kudos
AEK
SuperUser
SuperUser
In response to Happii

Created on ‎02-12-2025 06:09 AM

Pre-register is just my way to say "import endpoints from the domain".

This should helps:

https://docs.fortinet.com/document/forticlient/7.4.1/ems-administration-guide/123277/adding-endpoint...

AEK
AEK
475
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.