Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.6.1 Administration Guide
6.6.1
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

Methods

Methods

To configure FSSO methods:
  1. Go to Fortinet SSO > Settings > Methods.

    The Edit Fortinet Single Sign-On Methods window opens.

  2. Configure the following settings:
    Maximum concurrent user sessions

    Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.

    Select Fine-grained control to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls.

    Windows event log polling (e.g. domain controllers/Exchange servers)

    Select to enable Windows AD polling. This includes polling logon events from devices using Kerberos authentication or from Mac OS X systems.

    Select Configure Events to select the Windows security event IDs to use in event log polling. Select from event IDs 528, 540, 672, 673, 674, 680, 4624, 4768, 4769, 4770, and 4776.

    DNS lookup to get IP from workstation nameSelect to use DNS lookup to get IP address information when an event contains only the workstation name. This option is enabled by default.
    Directly use domain DNS suffix in lookupSelect to use the domain DNS suffix when doing a DNS lookup. This option is disabled by default.
    Reverse DNS lookup to get workstation name from IPSelect to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name. This option is enabled by default.
    Do one more DNS lookup to get full list of IPs after reverse lookup of workstation nameReverse DNS lookup is used when an event contains only an IP address and no workstation name. After the workstation name is determined, it is used in the DNS lookup again to get more complete IP address information. This is useful in environments where workstations have multiple network interfaces. This option is disabled by default.
    Include account name ending with $ (usually computer account)Accounts that end in "$" used to exclusively denote computer accounts with no actual user, but in some cases, valid accounts imported from dated systems can feature them. This option is disabled by default.

    FortiNAC SSO

    Select to enable the retrieval of SSO sessions from FortiNAC sources.

    Select FortiNAC sources to choose one or more configured FortiNAC sources to use as SSO sources.

    Select Configure FortiNACs to configure FortiNAC sources (under System > Administration > FortiNACs). For more information, see FortiNACs.

    Radius Accounting SSO clientsSelect to enable the detection of users sign-ons and sign-offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
    Syslog SSOSelect to enable Syslog SSO, and configure syslog sources.

    Allow TLS encryption

    Enable to allow TLS encryption.

    Server Certificate

    From the dropdown, select one of the configured local server certificates.

    Require client authentication

    Enable to require that the client certificate must be signed by one of the configured local or trusted CA certificates.

    FortiClient SSO Mobility Agent ServiceSelect to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent.
    FortiClient listening portEnter the FortiClient listening port number.

    Require client certificate in TLS connection

    Enable to require client certificate in TLS connection. This option is disabled by default.

    Enable authenticationSelect to enable authentication, then enter a secret key, or password, in the Secret key field.
    Keep-alive intervalEnter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
    Idle timeoutEnter an amount of time in minutes after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
    NTLM authentication

    Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons.

    Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).

    Tenant ID for legacy SSOMA

    Optionally, enter the default Microsoft Entra ID (formerly Azure AD) tenant ID for legacy SSOMA.

    Tenant domain name for legacy SSOMA

    Enter the tenant domain name for legacy SSOMA.

    Hierarchical FSSO tieringSelect to enable hierarchical FSSO tiering. Enter the collector listening port in the Collector listening port field.
    DC/TS Agent Clients

    Select to enable clients using DC or TS Agent. Enter the TCP or UDP port in the DC/TS Agent listening port field. Default is 8002.


    Require encryption for DC/TS agents

    Select to require authentication, then enter a secret key, or password, in the Secret key field.

    Note: If this option is enabled, the TCP port is used and the UDP port is disabled. Otherwise, the UDP port is used and the TCP port is disabled.

    DNS lookup to get IP from workstation name

    Select to use DNS lookup to get IP address information when a client contains only the workstation name. This option is enabled by default.

    FortiAuthenticator attempts to obtain the workstation IP address using DNS lookup if the logon request contains only the workstation name. If the initial lookup fails, FortiAuthenticator will retry every 10 seconds for the following 5 minutes.

    Ignore workstation name that is not full DNS name

    Select if the DNS server does not support a workstation name that is not a full DNS name, otherwise service delay may occur. This option is enabled by default.

    Reverse DNS lookup to get workstation name from IP

    Select to enable reverse DNS lookup. Reverse DNS lookup is used when a client contains only an IP address and no workstation name. This option is enabled by default.

    Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP serversSelect to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Windows event log.
    Windows Active Directory workstation IP verification

    Select to enable workstation IP verification with Windows Active Directory.

    If enabled, select IP change detection via DNS lookup to detect IP changes via DNS lookup.

    Use changed IP even when workstation cannot be probed

    Enable to use changes IP address even when the workstation cannot be probed.

    Allow NTLMv1 in client authentication to Windows AD server

    Optionally, enable NTLMv1.

    Allow SMB1 in client connection to Windows AD server

    Optionally, enable SMB1.

  3. Click Save.
Previous
Next

Methods

To configure FSSO methods:
  1. Go to Fortinet SSO > Settings > Methods.

    The Edit Fortinet Single Sign-On Methods window opens.

  2. Configure the following settings:
    Maximum concurrent user sessions

    Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.

    Select Fine-grained control to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls.

    Windows event log polling (e.g. domain controllers/Exchange servers)

    Select to enable Windows AD polling. This includes polling logon events from devices using Kerberos authentication or from Mac OS X systems.

    Select Configure Events to select the Windows security event IDs to use in event log polling. Select from event IDs 528, 540, 672, 673, 674, 680, 4624, 4768, 4769, 4770, and 4776.

    DNS lookup to get IP from workstation nameSelect to use DNS lookup to get IP address information when an event contains only the workstation name. This option is enabled by default.
    Directly use domain DNS suffix in lookupSelect to use the domain DNS suffix when doing a DNS lookup. This option is disabled by default.
    Reverse DNS lookup to get workstation name from IPSelect to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name. This option is enabled by default.
    Do one more DNS lookup to get full list of IPs after reverse lookup of workstation nameReverse DNS lookup is used when an event contains only an IP address and no workstation name. After the workstation name is determined, it is used in the DNS lookup again to get more complete IP address information. This is useful in environments where workstations have multiple network interfaces. This option is disabled by default.
    Include account name ending with $ (usually computer account)Accounts that end in "$" used to exclusively denote computer accounts with no actual user, but in some cases, valid accounts imported from dated systems can feature them. This option is disabled by default.

    FortiNAC SSO

    Select to enable the retrieval of SSO sessions from FortiNAC sources.

    Select FortiNAC sources to choose one or more configured FortiNAC sources to use as SSO sources.

    Select Configure FortiNACs to configure FortiNAC sources (under System > Administration > FortiNACs). For more information, see FortiNACs.

    Radius Accounting SSO clientsSelect to enable the detection of users sign-ons and sign-offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
    Syslog SSOSelect to enable Syslog SSO, and configure syslog sources.

    Allow TLS encryption

    Enable to allow TLS encryption.

    Server Certificate

    From the dropdown, select one of the configured local server certificates.

    Require client authentication

    Enable to require that the client certificate must be signed by one of the configured local or trusted CA certificates.

    FortiClient SSO Mobility Agent ServiceSelect to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent.
    FortiClient listening portEnter the FortiClient listening port number.

    Require client certificate in TLS connection

    Enable to require client certificate in TLS connection. This option is disabled by default.

    Enable authenticationSelect to enable authentication, then enter a secret key, or password, in the Secret key field.
    Keep-alive intervalEnter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
    Idle timeoutEnter an amount of time in minutes after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
    NTLM authentication

    Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons.

    Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).

    Tenant ID for legacy SSOMA

    Optionally, enter the default Microsoft Entra ID (formerly Azure AD) tenant ID for legacy SSOMA.

    Tenant domain name for legacy SSOMA

    Enter the tenant domain name for legacy SSOMA.

    Hierarchical FSSO tieringSelect to enable hierarchical FSSO tiering. Enter the collector listening port in the Collector listening port field.
    DC/TS Agent Clients

    Select to enable clients using DC or TS Agent. Enter the TCP or UDP port in the DC/TS Agent listening port field. Default is 8002.


    Require encryption for DC/TS agents

    Select to require authentication, then enter a secret key, or password, in the Secret key field.

    Note: If this option is enabled, the TCP port is used and the UDP port is disabled. Otherwise, the UDP port is used and the TCP port is disabled.

    DNS lookup to get IP from workstation name

    Select to use DNS lookup to get IP address information when a client contains only the workstation name. This option is enabled by default.

    FortiAuthenticator attempts to obtain the workstation IP address using DNS lookup if the logon request contains only the workstation name. If the initial lookup fails, FortiAuthenticator will retry every 10 seconds for the following 5 minutes.

    Ignore workstation name that is not full DNS name

    Select if the DNS server does not support a workstation name that is not a full DNS name, otherwise service delay may occur. This option is enabled by default.

    Reverse DNS lookup to get workstation name from IP

    Select to enable reverse DNS lookup. Reverse DNS lookup is used when a client contains only an IP address and no workstation name. This option is enabled by default.

    Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP serversSelect to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Windows event log.
    Windows Active Directory workstation IP verification

    Select to enable workstation IP verification with Windows Active Directory.

    If enabled, select IP change detection via DNS lookup to detect IP changes via DNS lookup.

    Use changed IP even when workstation cannot be probed

    Enable to use changes IP address even when the workstation cannot be probed.

    Allow NTLMv1 in client authentication to Windows AD server

    Optionally, enable NTLMv1.

    Allow SMB1 in client connection to Windows AD server

    Optionally, enable SMB1.

  3. Click Save.
Previous
Next