Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
kiri
Staff
Staff

Created on ‎01-18-2024 08:07 AM Edited on ‎01-22-2024 12:47 AM By Moderator

Article Id 294881

Technical Tip: Considerations when using UPN (userPrincipalName) authentication

Description This article explains how it is best to configure Username format in Radius and other authentication policies when UPN (userPrincipalName) is used.
Scope

The following settings instruct the FortiAuthenticator on how to read the credentials the users provide.

 

Username format.
Select one of the following three username input formats:

 

username@realm
realm\username
realm/username

 

If the format is set to username@realm (the default one) the FortiAuthenticator would treat the '@' in the UPN as a delimiter. Whatever comes before the '@' is the username that FortiAuthenticator will try to authenticate, whatever comes after '@' is the realm, the user base where the FortiAuthenticator will search for the username.

This value will be stripped pre-authentication once a realm is identified. The impact on the authentication process is as follows.

 

The user provides the UPN, user@domain.xyz, and the FortiAuthenticator will strip the domain.xyz which is seen as realm (as instructed with Username format username@realm). Then an authentication is attempted with the user only (without @domain.xyz) and would render into a failed logon. The correct UPN is user@domain.xyz, not user. The failure is expected.

 

Radius debug example, 'Use default realm when user-provided realm is different from all configured realms' is disabled and this user's realm is set as default on the Radius policy:

 

(2) facauth: Input raw_username: user@domain.xyz Realm: domain.xyz username: user
(2) facauth: Realm domain.xyz goes to FAC local user
(2) facauth: user: user not found, update user and ip lockout with ip: 10.191.31.254
(2) facauth: Updated auth log 'user@domain.xyz' for attempt from 10.191.19.149~10.191.31.254: User authentication from 10.191.31.254 (chap) with no token failed: user not found
(2) Sent Access-Reject Id 12 from 10.5.20.234:1812 to 10.191.19.149:21017 length 33

 
Solution

Do not configure Username format username@realm when UPN is used. Switch the username format to any of the other 2, realm\username or realm/username. Let's take realm\username.


Now the FortiAuthenticator will look for '\' as a delimiter, not for '@', and will not strip the domain from the UPN thinking that is a realm.
The authentication will be attempted with the correct and full UPN value, user@domain.xyz.

 

Radius debug example:

 

(12) facauth: Input raw_username: user@domain.xyz Realm: (null) username: user@domain.xyz
(12) facauth: Realm not specified, default goes to FAC local user
(12) facauth: Local user found: user@domain.xyz
(12) facauth: Authentication OK

 

In the case of a multitenant FortiAuthenticator, if another UPN realm needs to be matched (ldap-realm for instance, other than default), the user will have to authenticate using the following format: ldap-realm\user@domain.abc.

The realm name is not the same as the domain, they are not interchangeable. It is only locally significant, and it is used by radius and other authentication policies to correctly identify a user base/remote authentication server.

 

2024-01-19 10_42_07-FortiAuthenticator — Mozilla Firefox.png
334
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.