Created on 01-18-2024 08:07 AM Edited on 01-22-2024 12:47 AM By Jean-Philippe_P
Description | This article explains how it is best to configure Username format in Radius and other authentication policies when UPN (userPrincipalName) is used. |
Scope |
The following settings instruct the FortiAuthenticator on how to read the credentials the users provide.
Username format.
username@realm
If the format is set to username@realm (the default one) the FortiAuthenticator would treat the '@' in the UPN as a delimiter. Whatever comes before the '@' is the username that FortiAuthenticator will try to authenticate, whatever comes after '@' is the realm, the user base where the FortiAuthenticator will search for the username. This value will be stripped pre-authentication once a realm is identified. The impact on the authentication process is as follows.
The user provides the UPN, user@domain.xyz, and the FortiAuthenticator will strip the domain.xyz which is seen as realm (as instructed with Username format username@realm). Then an authentication is attempted with the user only (without @domain.xyz) and would render into a failed logon. The correct UPN is user@domain.xyz, not user. The failure is expected.
Radius debug example, 'Use default realm when user-provided realm is different from all configured realms' is disabled and this user's realm is set as default on the Radius policy:
(2) facauth: Input raw_username: user@domain.xyz Realm: domain.xyz username: user
|
Solution |
Do not configure Username format username@realm when UPN is used. Switch the username format to any of the other 2, realm\username or realm/username. Let's take realm\username.
Radius debug example:
(12) facauth: Input raw_username: user@domain.xyz Realm: (null) username: user@domain.xyz
In the case of a multitenant FortiAuthenticator, if another UPN realm needs to be matched (ldap-realm for instance, other than default), the user will have to authenticate using the following format: ldap-realm\user@domain.abc.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.