Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Appendix D - FortiAuthenticator Agent for Microsoft Windows registry files

The following registry files are used in FortiAuthenticator Agent for Microsoft Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0

Keys

Description

Type

Default value

27C65014-B660-4141-B9C4-9D35CFE99AE5

A plugin credential provider ID for the FortiAuthenticator Agent for Microsoft Windows, and a binary flag for Windows Agent plugin features.

Note: This key should not be updated manually.

dword

0x00000062

Auth_RdpOnly

Enable FortiAuthenticator Agent for Microsoft Windows 2FA for Remote Desktop Protocol (RDP) sessions only:

  • When set to 0, local logons require 2FA.

  • When set to 1, local logons do not require 2FA.

Note: This key can be absent.

dword

0

AvailableDomains

List of domains. It can be updated by the user, or it will be updated by the Configuration app.

Example:

ABBY.AD.FACDOM.CA:ABBY

AD.FACDOM.CA:FACDOM

.:.

multi_sz

n/a

CredentialProvidersWhiteList

List of other specific credential providers we allow alongside FortiAuthenticator Agent CP.

Note: To add multiple values for this key, enter a list of GUIDs in brackets. Optionally, you can use commas to separate the contents of the list.

Example:

Two allowed credential providers for (smartcard credential provider, iris credential provider):

{1b283861-754f-4022-ad47-a5eaaa618894}{C885AA15-1764-4293-B82A-0586ADD46B35}

Alternatively, they can be added as:

{1b283861-754f-4022-ad47-a5eaaa618894},{C885AA15-1764-4293-B82A-0586ADD46B35}

sz

absent

DisableMSPasswordProvider

Allows to sign-in through Windows Agent only.

sz

True

InstallPath

Installation path for the FortiAuthenticator Agent for Microsoft Windows.

Note: This key should not be updated manually.

sz

C:\\Program Files\\Fortinet\\FortiAuthenticator Agent

IPluginAuthentication_Order

Order of plugins to authenticate the user.

Note: We have only one plugin for now.

multi_sz

27C65014-B660-4141-B9C4-9D35CFE99AE5

IPluginAuthorization_Order

Reserved for future.

n/a

empty

IPluginAuthenticationGateway_Order

Reserved for future.

n/a

empty

IPluginFetchTokens_Order

Order of plugins to fetch tokens for the user.

Note: We have only one plugin for now.

multi_sz

27C65014-B660-4141-B9C4-9D35CFE99AE5

IPluginEventNotifications_Order

Reserved for future.

n/a

empty

IPluginPushNotification_Order

Order of plugins for push authentication of the user.

Note: We have only one plugin for now.

multi_sz

27C65014-B660-4141-B9C4-9D35CFE99AE5

MaxClients

Number of connections from the Credential Provider to the (internal) FortiAuthenticator service.

dword

0x0000019

Motd

(Message Of The Day) Message, appears on the login screen.

sz

FortiAuthenticator Agent Version: %v

PluginDirectories

Installation directory for plugins. It is the installation directory for FortiAuthenticator Agent for Microsoft Windows itself.

Note: We have only one plugin for now.

multi_sz

C:\Program Files\Fortinet\FortiAuthenticator Agent

ServicePipeName

Connection/pipe name from the Credential Provider to the (internal) FortiAuthenticator service.

sz

FAC_AgentPipe

TileImage

Path to the "Other user" tile image on the login screen.

sz

empty (Fortinet image is shown)

TraceMsgTraffic

Log messages between the Credential Provider and the (internal) FortiAuthenticator service.

Note: These are not messages from the Agent to the FortiAuthenticator server.

sz

False- for investigation only.

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0\Plugins\27c65014-b660-4141-b9c4-9d35cfe99ae5

Keys

Description

Type

Default value

The next eight entries are related to authentication.

Auth_AllowAdminOTP

Allows admin OTP on the login screen.

Example: False

sz

n/a

Auth_CacheCredPeriod

Number of days the user is allowed to login with failed OTP (related to Auth_FailAction).

dword

0x0000001e

Auth_FailAction

Allowed to login with a failed OTP (see Auth_CacheCredPeriod and Auth_OfflineEnabled).

dword

0

Auth_NumRetries

Number of additional tries to connect to the FortiAuthenticator server after failure (related to Auth_Timeout).

dword

1 (valid range is 0-3)

Auth_OfflineEnabled

Allow authentication, based on downloaded tokens (or allow logon on failed OTP, if Auth_FailAction is configured).

sz

True

Auth_OfflineSharedSecret

Shared secret for the offline storage - must match FortiAuthenticator.

Note: This key should not be updated manually.

Encrypted string

n/a

Auth_RealmBased

Forces to use realm in addition to the username for authentication (from version 3.0).

sz

True

Auth_Timeout

Number of seconds to wait until next retry (related to Auth_NumRetries).

dword

0x0000000f

The next four entries are domain-related.

Dom_DefaultDomain

Domain, selected on the login screen by default (see Dom_DefaultDomainMode).

Example: FACDOM

sz

n/a

Dom_DefaultDomainMode

Mode to save and pick domains (see also Dom_DefaultDomain):

  • 0: No domain should be selected

  • 1: last domain

  • 2: specific domain

Example: 1.

dword

n/a

Dom_IncludedInTFA

List of the domains that require OTP.

Example:

FACDOM

.

multi_sz

n/a

Dom_RealmMappings

Maps domain names to realm names (usually set up through the configuration app).

Example:

AD.FACDOM.CA:facdom

.:.

multi_sz

n/a

The next four entries are related to exempt users.

EU_GroupList

Exempt groups. Members of the group will not need an OTP for login.

multi_sz

empty

EU_UserGroupCachePeriod

Number of days for which the cached groups are considered valid (related to EU_UserGroupsCached).

dword

0x1e

EU_UserList

Exempt users.

Example:

FACDOM/Administrator

FACDOM/System

multi_sz

n/a

EU_UserGroupsCached

Shows if we have cached user groups or not.

sz

False

The next seven entries are related to FortiAuthenticator server.

Gen_HostSpecificSalt

Salt for the offline storage.

Note: This key should not be updated manually.

Encrypted string

n/a

Gen_AdminName

HTTP basic access authentication user.

Example: admin

sz

n/a

Gen_CACertificateFile

Certificate for the FortiAuthenticator server.

Example: C:\\Program Files\\Fortinet\\fortinet_ca.crt

sz

n/a

Gen_FacHost

FortiAuthenticator server.

Example: http://www.facdom.ca

sz

n/a

Gen_RestAPIKey

HTTP basic access authentication password.

Note: This key should not be updated manually.

Encrypted string

n/a

Gen_ServerSubjName

FortiAuthenticator server subject name.

Example: FAC-VM1

sz

n/a

Gen_VerifyServerCert

Use certificate validation.

sz

True

The next seven entries are related to the alternate FortiAuthenticator server.

Gen_AltFacEnabled

Alternate FortiAuthenticator server is configured.

Example: True

sz

n/a

Gen_AltAdminName

HTTP basic access authentication user for the alternate FortiAuthenticator server.

Example: admin

sz

n/a

Gen_AltCACertificateFile

Certificate for the alternate FortiAuthenticator server.

Example: C:\\Program Files\\Fortinet\\fortinet_ca_alt.crt

sz

n/a

Gen_AltFacHost

Alternate FortiAuthenticator server.

Example: 192.168.150.111

sz

n/a

Gen_AltRestAPIKey

HTTP basic access authentication password for the alternate FortiAuthenticator server.

Note: This key should not be updated manually.

Encrypted string

n/a

Gen_AltServerSubjName

FortiAuthenticator server subject name for the alternate FortiAuthenticator server.

Example: FAC-VM2

sz

n/a

Gen_AltVerifyServerCert

Use certificate validation for the alternate FortiAuthenticator server.

sz

True

The next ten entries are either informational or are hints about the last FortiAuthenticator server connection.

Inf_AllowedDriftHotp

Maximum drift for HOTP tokens.

Note: This key should not be updated manually.

dword

0x00000003

Inf_AllowedDriftTotp

Maximum drift for TOTP tokens.

Note: This key should not be updated manually.

dword

0x00000001

Inf_ApiVersion

API version and date.

Note: This key should not be updated manually.

Example: 6.2.0-0525 20200513

sz

n/a

Inf_EmailSmsTokenTimeout

Email or SMS token timeout.

Note: This key should not be updated manually.

dword

0x0000003c

Inf_IsOfflineEnabled

Offline validation is enabled or not.

Note: This key should not be updated manually.

dword

1

Inf_IsPushEnabled

Push authentication is enabled or not.

Note: This key should not be updated manually.

dword

1

Inf_MaxDurationTotp

Maximum duration for TOTP.

Note: This key should not be updated manually.

dword

0x0000007

Inf_MaxNumberHotp

Maximum number for HOTP.

Note: This key should not be updated manually.

dword

0x0000000a

Inf_PreferredServer

FortiAuthenticator server that responded faster:

0: Main FortiAuthenticator

1: Alternate FortiAuthenticator

Hint: Agent may prefer this FortiAuthenticator server for the next call.

dword

0

Inf_Timestamp

Timestamp when the last 10 entries were updated.

Note: This key should not be updated manually.

qword

n/a

User-related offline registry settings are not included
Deprecated entries (from version 3.0) are not in the list: all Gina-related entries

Appendix D - FortiAuthenticator Agent for Microsoft Windows registry files

The following registry files are used in FortiAuthenticator Agent for Microsoft Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0

Keys

Description

Type

Default value

27C65014-B660-4141-B9C4-9D35CFE99AE5

A plugin credential provider ID for the FortiAuthenticator Agent for Microsoft Windows, and a binary flag for Windows Agent plugin features.

Note: This key should not be updated manually.

dword

0x00000062

Auth_RdpOnly

Enable FortiAuthenticator Agent for Microsoft Windows 2FA for Remote Desktop Protocol (RDP) sessions only:

  • When set to 0, local logons require 2FA.

  • When set to 1, local logons do not require 2FA.

Note: This key can be absent.

dword

0

AvailableDomains

List of domains. It can be updated by the user, or it will be updated by the Configuration app.

Example:

ABBY.AD.FACDOM.CA:ABBY

AD.FACDOM.CA:FACDOM

.:.

multi_sz

n/a

CredentialProvidersWhiteList

List of other specific credential providers we allow alongside FortiAuthenticator Agent CP.

Note: To add multiple values for this key, enter a list of GUIDs in brackets. Optionally, you can use commas to separate the contents of the list.

Example:

Two allowed credential providers for (smartcard credential provider, iris credential provider):

{1b283861-754f-4022-ad47-a5eaaa618894}{C885AA15-1764-4293-B82A-0586ADD46B35}

Alternatively, they can be added as:

{1b283861-754f-4022-ad47-a5eaaa618894},{C885AA15-1764-4293-B82A-0586ADD46B35}

sz

absent

DisableMSPasswordProvider

Allows to sign-in through Windows Agent only.

sz

True

InstallPath

Installation path for the FortiAuthenticator Agent for Microsoft Windows.

Note: This key should not be updated manually.

sz

C:\\Program Files\\Fortinet\\FortiAuthenticator Agent

IPluginAuthentication_Order

Order of plugins to authenticate the user.

Note: We have only one plugin for now.

multi_sz

27C65014-B660-4141-B9C4-9D35CFE99AE5

IPluginAuthorization_Order

Reserved for future.

n/a

empty

IPluginAuthenticationGateway_Order

Reserved for future.

n/a

empty

IPluginFetchTokens_Order

Order of plugins to fetch tokens for the user.

Note: We have only one plugin for now.

multi_sz

27C65014-B660-4141-B9C4-9D35CFE99AE5

IPluginEventNotifications_Order

Reserved for future.

n/a

empty

IPluginPushNotification_Order

Order of plugins for push authentication of the user.

Note: We have only one plugin for now.

multi_sz

27C65014-B660-4141-B9C4-9D35CFE99AE5

MaxClients

Number of connections from the Credential Provider to the (internal) FortiAuthenticator service.

dword

0x0000019

Motd

(Message Of The Day) Message, appears on the login screen.

sz

FortiAuthenticator Agent Version: %v

PluginDirectories

Installation directory for plugins. It is the installation directory for FortiAuthenticator Agent for Microsoft Windows itself.

Note: We have only one plugin for now.

multi_sz

C:\Program Files\Fortinet\FortiAuthenticator Agent

ServicePipeName

Connection/pipe name from the Credential Provider to the (internal) FortiAuthenticator service.

sz

FAC_AgentPipe

TileImage

Path to the "Other user" tile image on the login screen.

sz

empty (Fortinet image is shown)

TraceMsgTraffic

Log messages between the Credential Provider and the (internal) FortiAuthenticator service.

Note: These are not messages from the Agent to the FortiAuthenticator server.

sz

False- for investigation only.

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FAC_Agent_v1.0\Plugins\27c65014-b660-4141-b9c4-9d35cfe99ae5

Keys

Description

Type

Default value

The next eight entries are related to authentication.

Auth_AllowAdminOTP

Allows admin OTP on the login screen.

Example: False

sz

n/a

Auth_CacheCredPeriod

Number of days the user is allowed to login with failed OTP (related to Auth_FailAction).

dword

0x0000001e

Auth_FailAction

Allowed to login with a failed OTP (see Auth_CacheCredPeriod and Auth_OfflineEnabled).

dword

0

Auth_NumRetries

Number of additional tries to connect to the FortiAuthenticator server after failure (related to Auth_Timeout).

dword

1 (valid range is 0-3)

Auth_OfflineEnabled

Allow authentication, based on downloaded tokens (or allow logon on failed OTP, if Auth_FailAction is configured).

sz

True

Auth_OfflineSharedSecret

Shared secret for the offline storage - must match FortiAuthenticator.

Note: This key should not be updated manually.

Encrypted string

n/a

Auth_RealmBased

Forces to use realm in addition to the username for authentication (from version 3.0).

sz

True

Auth_Timeout

Number of seconds to wait until next retry (related to Auth_NumRetries).

dword

0x0000000f

The next four entries are domain-related.

Dom_DefaultDomain

Domain, selected on the login screen by default (see Dom_DefaultDomainMode).

Example: FACDOM

sz

n/a

Dom_DefaultDomainMode

Mode to save and pick domains (see also Dom_DefaultDomain):

  • 0: No domain should be selected

  • 1: last domain

  • 2: specific domain

Example: 1.

dword

n/a

Dom_IncludedInTFA

List of the domains that require OTP.

Example:

FACDOM

.

multi_sz

n/a

Dom_RealmMappings

Maps domain names to realm names (usually set up through the configuration app).

Example:

AD.FACDOM.CA:facdom

.:.

multi_sz

n/a

The next four entries are related to exempt users.

EU_GroupList

Exempt groups. Members of the group will not need an OTP for login.

multi_sz

empty

EU_UserGroupCachePeriod

Number of days for which the cached groups are considered valid (related to EU_UserGroupsCached).

dword

0x1e

EU_UserList

Exempt users.

Example:

FACDOM/Administrator

FACDOM/System

multi_sz

n/a

EU_UserGroupsCached

Shows if we have cached user groups or not.

sz

False

The next seven entries are related to FortiAuthenticator server.

Gen_HostSpecificSalt

Salt for the offline storage.

Note: This key should not be updated manually.

Encrypted string

n/a

Gen_AdminName

HTTP basic access authentication user.

Example: admin

sz

n/a

Gen_CACertificateFile

Certificate for the FortiAuthenticator server.

Example: C:\\Program Files\\Fortinet\\fortinet_ca.crt

sz

n/a

Gen_FacHost

FortiAuthenticator server.

Example: http://www.facdom.ca

sz

n/a

Gen_RestAPIKey

HTTP basic access authentication password.

Note: This key should not be updated manually.

Encrypted string

n/a

Gen_ServerSubjName

FortiAuthenticator server subject name.

Example: FAC-VM1

sz

n/a

Gen_VerifyServerCert

Use certificate validation.

sz

True

The next seven entries are related to the alternate FortiAuthenticator server.

Gen_AltFacEnabled

Alternate FortiAuthenticator server is configured.

Example: True

sz

n/a

Gen_AltAdminName

HTTP basic access authentication user for the alternate FortiAuthenticator server.

Example: admin

sz

n/a

Gen_AltCACertificateFile

Certificate for the alternate FortiAuthenticator server.

Example: C:\\Program Files\\Fortinet\\fortinet_ca_alt.crt

sz

n/a

Gen_AltFacHost

Alternate FortiAuthenticator server.

Example: 192.168.150.111

sz

n/a

Gen_AltRestAPIKey

HTTP basic access authentication password for the alternate FortiAuthenticator server.

Note: This key should not be updated manually.

Encrypted string

n/a

Gen_AltServerSubjName

FortiAuthenticator server subject name for the alternate FortiAuthenticator server.

Example: FAC-VM2

sz

n/a

Gen_AltVerifyServerCert

Use certificate validation for the alternate FortiAuthenticator server.

sz

True

The next ten entries are either informational or are hints about the last FortiAuthenticator server connection.

Inf_AllowedDriftHotp

Maximum drift for HOTP tokens.

Note: This key should not be updated manually.

dword

0x00000003

Inf_AllowedDriftTotp

Maximum drift for TOTP tokens.

Note: This key should not be updated manually.

dword

0x00000001

Inf_ApiVersion

API version and date.

Note: This key should not be updated manually.

Example: 6.2.0-0525 20200513

sz

n/a

Inf_EmailSmsTokenTimeout

Email or SMS token timeout.

Note: This key should not be updated manually.

dword

0x0000003c

Inf_IsOfflineEnabled

Offline validation is enabled or not.

Note: This key should not be updated manually.

dword

1

Inf_IsPushEnabled

Push authentication is enabled or not.

Note: This key should not be updated manually.

dword

1

Inf_MaxDurationTotp

Maximum duration for TOTP.

Note: This key should not be updated manually.

dword

0x0000007

Inf_MaxNumberHotp

Maximum number for HOTP.

Note: This key should not be updated manually.

dword

0x0000000a

Inf_PreferredServer

FortiAuthenticator server that responded faster:

0: Main FortiAuthenticator

1: Alternate FortiAuthenticator

Hint: Agent may prefer this FortiAuthenticator server for the next call.

dword

0

Inf_Timestamp

Timestamp when the last 10 entries were updated.

Note: This key should not be updated manually.

qword

n/a

User-related offline registry settings are not included
Deprecated entries (from version 3.0) are not in the list: all Gina-related entries