Fortinet black logo

Agent for Microsoft Windows

Home FortiAuthenticator 6.2.0 Agent for Microsoft Windows
6.2.0
6.2.0
6.1.2
6.1.0
6.0.0

Optional configuration settings

Optional configuration settings

FortiAuthenticator Agent for Microsoft Windows includes a range of settings specific to the behavior in the event of failure and when recovery is required. These features are described below.

Timeout

Timeout configures the behavior to adopt should the FortiAuthenticator become unavailable or slow to respond. The timeout for which a request is considered to be unresponsive is set to five seconds and three consecutive requests will be made resulting in 15 seconds required for an unavailable system to time out. These default settings can be customized to make the system time out sooner or later if necessary.

Allow Realm-based authentication

Allow Realm-based authentication is disabled by default and can be enabled to allow FortiAuthenticator Agent for Microsoft Windows to use Realm-based authentication methods.

To create a realm in FortiAuthenticator, go to Authentication > User Management > Realms and select the Create New button. The realm listed in the Offline tab of FortiAuthenticator Agent for Microsoft Windows two-factor authentication settings must match the realm created in FortiAuthenticator.

Allow Push Authentication

Allow Push Authentication is enabled by default and allows FortiAuthenticator Agent for Microsoft Windows to use two factor authentication push notifications.

To use FTM push authentication with FortiAuthenticator Agent for Microsoft Windows, enable FortiToken Mobile API (/api/v1/pushauthresp) on the configured FortiAuthenticator interface.

Override users

Override users are users whose tokens can be used to log other users into their systems. The purpose of such an override is to allow emergency access to a system when a user token is not available (e.g. lost, forgotten, or misplaced).

When this feature is enabled, the user can log in with the Administrator Override checkbox enabled. This creates an additional dialog during the login process to enter the Administrator Name that corresponds to the override OTP token.

Exempt users and groups

If local administrators are removed from Windows and all domain users are protected by two factor authentication, but the Agent/FortiAuthenticator are incorrectly configured, this can lead to issues where users are permanently locked out of the system — this may require a system reinstallation. It is therefore recommended that at least one exempt user is configured who can log in without the need to enter a two-factor authentication token. You may also exempt user groups.

Exempt users can log in and recover any misconfiguration, avoiding the need for reinstallation of the operating system.

Exempt users can be selected from the domain in the Exempt Users tab when configuring two factor authentication settings.

Tooltip

Although the option to enter an OTP is displayed for exempted users, it is not required. When an exempt user clicks Login without submitting an OTP, they are automatically logged in.

Contact secondary FortiAuthenticator for load-balancing HA

The agent can be set to try to reach a secondary FortiAuthenticator if the primary is unreachable. When configured, the primary and secondary are used round-robin style (for retries) upon each authentication.

Default domain for logon

The log on screen can be set to a default domain. Select from either None, Most Recent, or select a specific domain from the dropdown list available on the computer. For more information, see the Installation parameters.

Previous
Next

Optional configuration settings

FortiAuthenticator Agent for Microsoft Windows includes a range of settings specific to the behavior in the event of failure and when recovery is required. These features are described below.

Timeout

Timeout configures the behavior to adopt should the FortiAuthenticator become unavailable or slow to respond. The timeout for which a request is considered to be unresponsive is set to five seconds and three consecutive requests will be made resulting in 15 seconds required for an unavailable system to time out. These default settings can be customized to make the system time out sooner or later if necessary.

Allow Realm-based authentication

Allow Realm-based authentication is disabled by default and can be enabled to allow FortiAuthenticator Agent for Microsoft Windows to use Realm-based authentication methods.

To create a realm in FortiAuthenticator, go to Authentication > User Management > Realms and select the Create New button. The realm listed in the Offline tab of FortiAuthenticator Agent for Microsoft Windows two-factor authentication settings must match the realm created in FortiAuthenticator.

Allow Push Authentication

Allow Push Authentication is enabled by default and allows FortiAuthenticator Agent for Microsoft Windows to use two factor authentication push notifications.

To use FTM push authentication with FortiAuthenticator Agent for Microsoft Windows, enable FortiToken Mobile API (/api/v1/pushauthresp) on the configured FortiAuthenticator interface.

Override users

Override users are users whose tokens can be used to log other users into their systems. The purpose of such an override is to allow emergency access to a system when a user token is not available (e.g. lost, forgotten, or misplaced).

When this feature is enabled, the user can log in with the Administrator Override checkbox enabled. This creates an additional dialog during the login process to enter the Administrator Name that corresponds to the override OTP token.

Exempt users and groups

If local administrators are removed from Windows and all domain users are protected by two factor authentication, but the Agent/FortiAuthenticator are incorrectly configured, this can lead to issues where users are permanently locked out of the system — this may require a system reinstallation. It is therefore recommended that at least one exempt user is configured who can log in without the need to enter a two-factor authentication token. You may also exempt user groups.

Exempt users can log in and recover any misconfiguration, avoiding the need for reinstallation of the operating system.

Exempt users can be selected from the domain in the Exempt Users tab when configuring two factor authentication settings.

Tooltip

Although the option to enter an OTP is displayed for exempted users, it is not required. When an exempt user clicks Login without submitting an OTP, they are automatically logged in.

Contact secondary FortiAuthenticator for load-balancing HA

The agent can be set to try to reach a secondary FortiAuthenticator if the primary is unreachable. When configured, the primary and secondary are used round-robin style (for retries) upon each authentication.

Default domain for logon

The log on screen can be set to a default domain. Select from either None, Most Recent, or select a specific domain from the dropdown list available on the computer. For more information, see the Installation parameters.

Previous
Next