Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
seadave
Contributor III

FAC: Make sure you aren't blocking - directregistration.fortinet.com

Just a FYI, our FAC stopped being able to sync users from AD and adding them for FTKM assignment.  Error showed:

 

FTM provision error: problem with SSL comm layer: server connection failed: SSL session failed Failed to assign remote LDAP user xxxxx @ xxxxx-DCs (xxx.xxx.xxx.10) with an available FTM token (FTKMxxxxxxxxxx) due to an activation error: Unable to provision token FTKMxxxxxxxxx: Unknown error.

Finally determined that FAC was hitting on our our MiTM/SSL Inspection outbound rules and Fortinet didn't like the cert interception.  Moved the directregistration.fortinet.com host to one of our trusted hosts rule that doesn't have SSL inspection and it started working again.

 

We think the IP for this host was updated today but not sure.

1 REPLY 1
xsilver_FTNT
Staff
Staff

thanks for sharing your case.

Yes, token activation is done over TLS and bidirectional cert verification and if that is forged, by any MiTM SSL inspecting proxy, then it will fail. That's expected outcome.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors