Appendix D - FortiAuthenticator Agent for Microsoft Windows registry files
The following registry files are used in FortiAuthenticator Agent for Microsoft Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0
|
Keys |
Description |
Type |
Default value |
|---|---|---|---|
|
27C65014-B660-4141-B9C4-9D35CFE99AE5 |
A plugin credential provider ID for the FortiAuthenticator Agent for Microsoft Windows, and a binary flag for Windows Agent plugin features. Note: This key should not be updated manually. |
dword |
|
|
Auth_RdpOnly |
Enable FortiAuthenticator Agent for Microsoft Windows 2FA for Remote Desktop Protocol (RDP) sessions only:
Note: This key can be absent. |
dword |
|
|
AvailableDomains |
List of domains. It can be updated by the user, or it will be updated by the Configuration app. Example:
.:. |
multi_sz |
n/a |
|
CredentialProvidersWhiteList |
List of other specific credential providers we allow alongside FortiAuthenticator Agent CP. Note: To add multiple values for this key, enter a list of GUIDs in brackets. Optionally, you can use commas to separate the contents of the list. Example: Two allowed credential providers for (smartcard credential provider, iris credential provider):
Alternatively, they can be added as:
|
sz |
absent |
|
DisableMSPasswordProvider |
Allows to sign-in through Windows Agent only. |
sz |
|
|
InstallPath |
Installation path for the FortiAuthenticator Agent for Microsoft Windows. Note: This key should not be updated manually. |
sz |
|
|
IPluginAuthentication_Order |
Order of plugins to authenticate the user. Note: We have only one plugin for now. |
multi_sz |
|
|
IPluginAuthorization_Order |
Reserved for future. |
n/a |
empty |
|
IPluginAuthenticationGateway_Order |
Reserved for future. |
n/a |
empty |
|
IPluginFetchTokens_Order |
Order of plugins to fetch tokens for the user. Note: We have only one plugin for now. |
multi_sz |
|
|
IPluginEventNotifications_Order |
Reserved for future. |
n/a |
empty |
|
IPluginPushNotification_Order |
Order of plugins for push authentication of the user. Note: We have only one plugin for now. |
multi_sz |
|
|
MaxClients |
Number of connections from the Credential Provider to the (internal) FortiAuthenticator service. |
dword |
|
|
Motd |
(Message Of The Day) Message, appears on the login screen. |
sz |
|
|
PluginDirectories |
Installation directory for plugins. It is the installation directory for FortiAuthenticator Agent for Microsoft Windows itself. Note: We have only one plugin for now. |
multi_sz |
|
|
ServicePipeName |
Connection/pipe name from the Credential Provider to the (internal) FortiAuthenticator service. |
sz |
|
|
TileImage |
Path to the "Other user" tile image on the login screen. |
sz |
empty (Fortinet image is shown) |
|
TraceMsgTraffic |
Log messages between the Credential Provider and the (internal) FortiAuthenticator service. Note: These are not messages from the Agent to the FortiAuthenticator server. |
sz |
|
HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0\Plugins\27c65014-b660-4141-b9c4-9d35cfe99ae5
|
Keys |
Description |
Type |
Default value |
|---|---|---|---|
|
The next eight entries are related to authentication. |
|||
|
Auth_AllowAdminOTP |
Allows admin OTP on the login screen. Example: |
sz |
n/a |
|
Auth_CacheCredPeriod |
Number of days the user is allowed to login with failed OTP (related to Auth_FailAction). |
dword |
|
|
Auth_FailAction |
Allowed to login with a failed OTP (see Auth_CacheCredPeriod and Auth_OfflineEnabled). |
dword |
|
|
Auth_NumRetries |
Number of additional tries to connect to the FortiAuthenticator server after failure (related to Auth_Timeout). |
dword |
|
|
Auth_OfflineEnabled |
Allow authentication, based on downloaded tokens (or allow logon on failed OTP, if Auth_FailAction is configured). |
sz |
|
|
Auth_OfflineSharedSecret |
Shared secret for the offline storage - must match FortiAuthenticator. Note: This key should not be updated manually. |
Encrypted string |
n/a |
|
Auth_RealmBased |
Forces to use realm in addition to the username for authentication (from version 3.0). |
sz |
|
|
Auth_Timeout |
Number of seconds to wait until next retry (related to Auth_NumRetries). |
dword |
|
|
The next four entries are domain-related. |
|||
|
Dom_DefaultDomain |
Domain, selected on the login screen by default (see Dom_DefaultDomainMode). Example: |
sz |
n/a |
|
Dom_DefaultDomainMode |
Mode to save and pick domains (see also Dom_DefaultDomain):
Example: |
dword |
n/a |
|
Dom_IncludedInTFA |
List of the domains that require OTP. Example:
. |
multi_sz |
n/a |
|
Dom_RealmMappings |
Maps domain names to realm names (usually set up through the configuration app). Example:
.:. |
multi_sz |
n/a |
|
The next four entries are related to exempt users. |
|||
|
EU_GroupList |
Exempt groups. Members of the group will not need an OTP for login. |
multi_sz |
empty |
|
EU_UserGroupCachePeriod |
Number of days for which the cached groups are considered valid (related to EU_UserGroupsCached). |
dword |
|
|
EU_UserList |
Exempt users. Example:
|
multi_sz |
n/a |
|
EU_UserGroupsCached |
Shows if we have cached user groups or not. |
sz |
|
|
The next seven entries are related to FortiAuthenticator server. |
|||
|
Gen_HostSpecificSalt |
Salt for the offline storage. Note: This key should not be updated manually. |
Encrypted string |
n/a |
|
Gen_AdminName |
HTTP basic access authentication user. Example: |
sz |
n/a |
|
Gen_CACertificateFile |
Certificate for the FortiAuthenticator server. Example: |
sz |
n/a |
|
Gen_FacHost |
FortiAuthenticator server. Example: |
sz |
n/a |
|
Gen_RestAPIKey |
HTTP basic access authentication password. Note: This key should not be updated manually. |
Encrypted string |
n/a |
|
Gen_ServerSubjName |
FortiAuthenticator server subject name. Example: |
sz |
n/a |
|
Gen_VerifyServerCert |
Use certificate validation. |
sz |
|
|
The next seven entries are related to the alternate FortiAuthenticator server. |
|||
|
Gen_AltFacEnabled |
Alternate FortiAuthenticator server is configured. Example: |
sz |
n/a |
|
Gen_AltAdminName |
HTTP basic access authentication user for the alternate FortiAuthenticator server. Example: |
sz |
n/a |
|
Gen_AltCACertificateFile |
Certificate for the alternate FortiAuthenticator server. Example: |
sz |
n/a |
|
Gen_AltFacHost |
Alternate FortiAuthenticator server. Example: |
sz |
n/a |
|
Gen_AltRestAPIKey |
HTTP basic access authentication password for the alternate FortiAuthenticator server. Note: This key should not be updated manually. |
Encrypted string |
n/a |
|
Gen_AltServerSubjName |
FortiAuthenticator server subject name for the alternate FortiAuthenticator server. Example: |
sz |
n/a |
|
Gen_AltVerifyServerCert |
Use certificate validation for the alternate FortiAuthenticator server. |
sz |
|
|
The next ten entries are either informational or are hints about the last FortiAuthenticator server connection. |
|||
|
Inf_AllowedDriftHotp |
Maximum drift for HOTP tokens. Note: This key should not be updated manually. |
dword |
|
|
Inf_AllowedDriftTotp |
Maximum drift for TOTP tokens. Note: This key should not be updated manually. |
dword |
|
|
Inf_ApiVersion |
API version and date. Note: This key should not be updated manually. Example: |
sz |
n/a |
|
Inf_EmailSmsTokenTimeout |
Email or SMS token timeout. Note: This key should not be updated manually. |
dword |
|
|
Inf_IsOfflineEnabled |
Offline validation is enabled or not. Note: This key should not be updated manually. |
dword |
|
|
Inf_IsPushEnabled |
Push authentication is enabled or not. Note: This key should not be updated manually. |
dword |
|
|
Inf_MaxDurationTotp |
Maximum duration for TOTP. Note: This key should not be updated manually. |
dword |
|
|
Inf_MaxNumberHotp |
Maximum number for HOTP. Note: This key should not be updated manually. |
dword |
|
|
Inf_PreferredServer |
FortiAuthenticator server that responded faster:
Hint: Agent may prefer this FortiAuthenticator server for the next call. |
dword |
|
|
Inf_Timestamp |
Timestamp when the last 10 entries were updated. Note: This key should not be updated manually. |
qword |
n/a |