Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Release Notes

Resolved issues

The resolved issues listed below may not list every bug that has been corrected with this release. For inquiries about a particular bug, please visit the Fortinet Support website.

Bug ID

Description

758522

SP server certificate when expired produces a server 500 when trying to edit the SP configuration.

744936

Yubikey third party token failed authentication with "invalid token" error after FortiAuthenticator upgrades to version 6.4.0.

742360

Remote user sync not reflecting LDAP user's OU change.

758011

Logout from SAML FSSO portal is generating signature validation error and 403 forbidden upon re-authentication.

749761

FortiAuthenticator did not update user group info after sync user from LDAP server.

739254

Uploading CRL on LB secondary FortiAuthenticator causes GUI crash.

754239

LB secondary not syncing when we failover to the secondary FortiAuthenticator.

755884

History password policy not working.

754589

Push Service does not recognize the realm from the FortiAuthenticator agent.

745679

"Mandatory password and OTP" setting not enforcing OTP on unimported remote users.

743480

User sync rule now updates FortiToken assignment if a manual change occurs after initial sync.

751605

Timezone 63 Darwin shows time 1 hour ahead.

753910

Users Audit export: comma separated displayname shifts the cells/fields to the right.

756798

Self-service portal "Change Password" button returns 403 Forbidden error for remote users.

744321

Mobile FortiToken and SMS tokens log event from a scheduled syncing of remote LDAP users.

731626

Limit of 64 characters in SAN DNS field for CSR/Certificate creation.

611922

Improve SCEP grid layout.

735782

Alcatel RADIUS VSA dictionary needs to be updated.

755539

User lookup triggers internal server error 500 for users with two or more IdP sessions.

670317

Not possible to resize/change columns width in log table.

712251

Column resize or sort does not work properly in tables of FortiAuthenticator.

748818

SCEP and device enrollment does not work.

752935

500 internal server error when using unknown email address for password reset.

744768

FortiAuthenticator not logging LDAP group membership changes.

741495

When trying to import users from FortiGate conf to FortiAuthenticator v6.4.

729674

FortiToken license status on LB nodes shows unknown.

748270

IdP proxy scenario with local AD for group membership does not work.

741357

Unable to download raw log.

730640

When signing a CSR via SCEP, FortiAuthenticator returns "Unable to sign request, Unable to find a unique name".

741332

FortiToken email activation sent to user again when LDAP sync runs after the timeout of token activation (user should stay disabled).

744916

Sort by name the sponsor list in the self-registration guest portal.

737727

Change in the password complexity rule is not taking effect.

737078

Private IPv6 address added to SSO list instead of public IPv6 when received from a RADIUS accounting source.

706998

GUI crashes during password recovery using E-mail address method if the E-mail is not associated with any user account.

694599

Certificate sync does not work from Master to LB Peer/Nodes.

760580

Deleting an unused group gives "500 internal server error".

723065

HA connection status is still showing connected even the Primary FortiAuthenticator is already shutdown.

747259

FSAE is taking high CPU.

711940

Raid widget is showing wrong status.

685295

Implement correct handling of VM license in case of configuration conversion.

733788

FortiAuthenticator Agent does not support UPN username format (as imported to the FortiAuthenticator).

721189

SMS : No update on number of sent message on the dashboard.

738349

SAML querying the LDAP when the user is admin instead of looking for the user locally on remote LDAP users.

709395

High CPU utilization by wmid process.

711721

Groups sorting differences when importing LDAP groups in SSO groups and FortiGate filtering.

756786

Guest portal authentication request failed with Cisco WLC.

754474

SAML- SP Login page does not present the Done button in OSX CNA.

586851

http of the FortiAuthenticator cannot be closed.

752572

Windows machine login caching not working and breaking user + machine authentication RADIUS policy condition.

752954

SAML SP ACS URL misconfig returns a Server 500 vs 403 and the log for SP config mismatch.

751445

Saving LDAP server config produces: Please submit 0 or fewer forms.

748487

FortiAuthenticator SAML SP requires at least 1 attribute in received SAML assertions from the remote IdP.

731175

Provide skeleton language pack.

746411

SMTP mail: failed to start session with the "Operation now in progress" error.

632248

Unable to provide publisher details/assign code signing certificate to a Smart Connect profile.

691009

FortiAuthenticator-VM 6.0.4 stops authenticating and GUI freezes until reboot is applied.

748560

FortiAuthenticator active-passive cluster plus load-balancing node does not sync properly.

752114

LDAP group query parsing error.

742715

"The username is in use and this user cannot be made into an administrator" error.

748187

EAP-TLS policy ignores group filter for cert user, cert user can authenticate even if it is not a member of the group.

746538

When applying the OpenLDAP template the out of the box User Object class does not find any user.

742775

Wrong message when user inputs incorrect email address or an incorrect username.

730474

FortiAuthenticator IdP proxy fails to proxy SAML assertions received from remote IdP when the User Attribute with same name exists.

708384

SAML IdP proxy session not showing and unable to log out from an external IdP.

756657

Error while changing HA password of Load Balancer node with HA enabled.

752752

LB + GUI local service certificate restrictions preventing reconfiguration.

731442

Case sensitive remote RADIUS username does not work well.

758407

SP metadata import causes GUI index error.

752730

RADIUS auth fails with invalid user if temporary token type = sms but no mobile number.

756154

Hide self-service portal token registration options when all are disabled.

754134

iOS 14 and iPhone 13 Safari browser: Error displayed on FIDO auto-start after password authentication.

752749

Remote LDAP server page loads incredibly slowly when many imported users exist.

755111

Issue with auto-redirect on HA administration page when enabling HA for load balancer role.

735940

Unable to restart radiusd in debug mode from FortiAuthenticator GUI debug tab after CSP changes for JS.

753040

HA status page should show "Name" of LB nodes in Cluster + LB mode.

752732

Admin trusted hosts applied to SAML auths, not just admin GUI.

742657

Test SMS phone number is not initialized.

748148

ubkey self-provisioning is broken.

733585

No log for policy priority change.

740201

User CSV import does group database check once per record.

746096

Upper case is not accepted for local users.

706422

LB should not delete certificates if they are used by config_setting table but not synced.

744732

FSSO eventlog polling fail for machine account ending with $.

744505

Unable to see top row title of replacement messages.

739528

Certificate CN validation gives wrong error.

752755

Customized SAML Token Login page's pre-existing pollTokenAuthResult JS broken after upgrade to 6.4.0.

742719

CPU usage 100% after clicking LDAP server in GUI in a customer setup (and GUI timeout).

755701

ESX deploy script.

753032

IdP logins for SP throwing SQL errors on missing session.

753060

User simultaneously created duplicate IdP session - resulted in broken session.

752753

System Access inaccessible if web certificate /CA are missing.

554763

Frequent CSRF errors when using HTTP authentication.

752747

LDAP sync appears to be updating every user record, including unmodified ones.

750732

Login activity not relayed from LB nodes to Master (for user expiry, etc).

740202

Better error-reporting when trying to restore a config which is for a different model.

735652

Unnecessary deletes on load-balancer causes really long re-sync delays.

752242

Logs: FortiAuthenticator should log details when FIDO registration fails.

753921

Change label wording for "Pre-Login Services "==>" FIDO Revocation".

752226

FIDO: "Clear all Keys" should delete the keys.

744134

FortiAuthenticator should show "FIDO" in the token column of user page if user has registered a FIDO token.

751543

FTC- user_ip field in auth request is using Country value instead of IP.

744287

OpenSSL 1.1.1l security fixes -- August 2021.

747232

Pillow--- Precaution upgrade.

718365

HA Cluster not able to access management port IP.

739187

REST API authentication for remote user with upper case should not return 401.

758164

Remote RADIUS user case sensitivity is not working properly.

736062

PCI enabled FIDO authentication portal does not work with FIDO user.

737640

Sync rule with multiple OTP assignment methods fails to sync users over if they are missing any one of the LDAP attributes.

745963

Unable to retrieve FIDO token 500 internal server error.

752616

Rephrase label "Every configured password and OTP factors".

576467

Request-URI too long error when we try to export or E-mail large amounts of newly created guest users.

558658

Rephrase timeout error message for timeout in deleting FTC user.

732139

Windows Event Log Sources JavaScript Error.

744577

Cannot import AD user groups as SSO Groups that have '+' in their names.

734462

Extraneous "No search results" message appears under RADIUS Attributes section in user group page.

602248

Migrating a user that already exists causes 500 internal error.

743645

Cannot change the name of local users realm.

739542

Remote RADIUS users with duplicate name REST API call cause 500 errors.

603411

Exporting guest users phone number format incorrect.

736652

New self service portal does not prompt for token resync, allows access with drifted OTP (when within configured window).

734474

LDAP users are able to enable security question through Self-Service portal without actually setting a security question.

732406

Editing security question results in duplicate UI in the pop-up.

731214

500 Internal server error when end user has duplicate certificate bindings.

680974

"Forgot password" option does not work on portal when user is temporary locked.

736020

"None" option for token assignment missing in self-service portal MFA page.

736017

Revoked FIDO token should display time in local time and not UTC.

737638

Missing username in Oauth Request causes 500 server error.

734475

"Internal Server Error" when local user enables security question without setting the security question through captive portal.

579174

FortiToken mobile for a remote radius user on the FortiAuthenticator server and also on the FortiAuthenticator client fails to work.

712166

SCEP gives wrong validation message if "Renewal Days" expiry is left empty.

739570

Unable to create RADIUS attribute matching when creating a RADIUS policy.

734034

Cannot see MAC devices limit in portals settings for Firefox.

734892

FIDO popup message when saving user local information.

758463

FIDO key registration failing first try on iOS 15.1.

761747

Force password change not working when FIDO is enabled in portal policy.

751208

FortiAuthenticator cannot support "mschapv2" as password encoding format for the RADIUS client.

736670

api/v1/ssoauth/ API request returns 500 internal error occassionally.

749559

Windows AD computer authentication option missing from RADIUS policies.

743629

Remote RADIUS user takes longer than 30 sec to verify the deny process.

744073

FortiGate fails to get FSSO list from FortiAuthenticator if the login user group belongs to OU with special characters like +EU.

701758

Problem setting static IP address on a FortiAuthenticator-VM installed on a XenServer.

761875

In the captive portal, when a wrong token code is entered, FortiAuthenticator does not display any error message and just redirects to the login page.

763503

Remote user sync rule does not work with email/FTC 2FA.

762263

PCI mode's behaviour for user without FIDO enabled is incorrect.

762268

Password change not working for remote LDAP users.

603510

Memory usage is High.

763803

LB sync is broken for MAC devices if it is associated to a non-synced user.

746715

Optimize introduction of Load Balancing node(s) to an A-A Cluster to provide high availability.

760305

CLI's "exec ha-rebuild" does not work; cannot find required binaries in PATH.

Resolved issues

The resolved issues listed below may not list every bug that has been corrected with this release. For inquiries about a particular bug, please visit the Fortinet Support website.

Bug ID

Description

758522

SP server certificate when expired produces a server 500 when trying to edit the SP configuration.

744936

Yubikey third party token failed authentication with "invalid token" error after FortiAuthenticator upgrades to version 6.4.0.

742360

Remote user sync not reflecting LDAP user's OU change.

758011

Logout from SAML FSSO portal is generating signature validation error and 403 forbidden upon re-authentication.

749761

FortiAuthenticator did not update user group info after sync user from LDAP server.

739254

Uploading CRL on LB secondary FortiAuthenticator causes GUI crash.

754239

LB secondary not syncing when we failover to the secondary FortiAuthenticator.

755884

History password policy not working.

754589

Push Service does not recognize the realm from the FortiAuthenticator agent.

745679

"Mandatory password and OTP" setting not enforcing OTP on unimported remote users.

743480

User sync rule now updates FortiToken assignment if a manual change occurs after initial sync.

751605

Timezone 63 Darwin shows time 1 hour ahead.

753910

Users Audit export: comma separated displayname shifts the cells/fields to the right.

756798

Self-service portal "Change Password" button returns 403 Forbidden error for remote users.

744321

Mobile FortiToken and SMS tokens log event from a scheduled syncing of remote LDAP users.

731626

Limit of 64 characters in SAN DNS field for CSR/Certificate creation.

611922

Improve SCEP grid layout.

735782

Alcatel RADIUS VSA dictionary needs to be updated.

755539

User lookup triggers internal server error 500 for users with two or more IdP sessions.

670317

Not possible to resize/change columns width in log table.

712251

Column resize or sort does not work properly in tables of FortiAuthenticator.

748818

SCEP and device enrollment does not work.

752935

500 internal server error when using unknown email address for password reset.

744768

FortiAuthenticator not logging LDAP group membership changes.

741495

When trying to import users from FortiGate conf to FortiAuthenticator v6.4.

729674

FortiToken license status on LB nodes shows unknown.

748270

IdP proxy scenario with local AD for group membership does not work.

741357

Unable to download raw log.

730640

When signing a CSR via SCEP, FortiAuthenticator returns "Unable to sign request, Unable to find a unique name".

741332

FortiToken email activation sent to user again when LDAP sync runs after the timeout of token activation (user should stay disabled).

744916

Sort by name the sponsor list in the self-registration guest portal.

737727

Change in the password complexity rule is not taking effect.

737078

Private IPv6 address added to SSO list instead of public IPv6 when received from a RADIUS accounting source.

706998

GUI crashes during password recovery using E-mail address method if the E-mail is not associated with any user account.

694599

Certificate sync does not work from Master to LB Peer/Nodes.

760580

Deleting an unused group gives "500 internal server error".

723065

HA connection status is still showing connected even the Primary FortiAuthenticator is already shutdown.

747259

FSAE is taking high CPU.

711940

Raid widget is showing wrong status.

685295

Implement correct handling of VM license in case of configuration conversion.

733788

FortiAuthenticator Agent does not support UPN username format (as imported to the FortiAuthenticator).

721189

SMS : No update on number of sent message on the dashboard.

738349

SAML querying the LDAP when the user is admin instead of looking for the user locally on remote LDAP users.

709395

High CPU utilization by wmid process.

711721

Groups sorting differences when importing LDAP groups in SSO groups and FortiGate filtering.

756786

Guest portal authentication request failed with Cisco WLC.

754474

SAML- SP Login page does not present the Done button in OSX CNA.

586851

http of the FortiAuthenticator cannot be closed.

752572

Windows machine login caching not working and breaking user + machine authentication RADIUS policy condition.

752954

SAML SP ACS URL misconfig returns a Server 500 vs 403 and the log for SP config mismatch.

751445

Saving LDAP server config produces: Please submit 0 or fewer forms.

748487

FortiAuthenticator SAML SP requires at least 1 attribute in received SAML assertions from the remote IdP.

731175

Provide skeleton language pack.

746411

SMTP mail: failed to start session with the "Operation now in progress" error.

632248

Unable to provide publisher details/assign code signing certificate to a Smart Connect profile.

691009

FortiAuthenticator-VM 6.0.4 stops authenticating and GUI freezes until reboot is applied.

748560

FortiAuthenticator active-passive cluster plus load-balancing node does not sync properly.

752114

LDAP group query parsing error.

742715

"The username is in use and this user cannot be made into an administrator" error.

748187

EAP-TLS policy ignores group filter for cert user, cert user can authenticate even if it is not a member of the group.

746538

When applying the OpenLDAP template the out of the box User Object class does not find any user.

742775

Wrong message when user inputs incorrect email address or an incorrect username.

730474

FortiAuthenticator IdP proxy fails to proxy SAML assertions received from remote IdP when the User Attribute with same name exists.

708384

SAML IdP proxy session not showing and unable to log out from an external IdP.

756657

Error while changing HA password of Load Balancer node with HA enabled.

752752

LB + GUI local service certificate restrictions preventing reconfiguration.

731442

Case sensitive remote RADIUS username does not work well.

758407

SP metadata import causes GUI index error.

752730

RADIUS auth fails with invalid user if temporary token type = sms but no mobile number.

756154

Hide self-service portal token registration options when all are disabled.

754134

iOS 14 and iPhone 13 Safari browser: Error displayed on FIDO auto-start after password authentication.

752749

Remote LDAP server page loads incredibly slowly when many imported users exist.

755111

Issue with auto-redirect on HA administration page when enabling HA for load balancer role.

735940

Unable to restart radiusd in debug mode from FortiAuthenticator GUI debug tab after CSP changes for JS.

753040

HA status page should show "Name" of LB nodes in Cluster + LB mode.

752732

Admin trusted hosts applied to SAML auths, not just admin GUI.

742657

Test SMS phone number is not initialized.

748148

ubkey self-provisioning is broken.

733585

No log for policy priority change.

740201

User CSV import does group database check once per record.

746096

Upper case is not accepted for local users.

706422

LB should not delete certificates if they are used by config_setting table but not synced.

744732

FSSO eventlog polling fail for machine account ending with $.

744505

Unable to see top row title of replacement messages.

739528

Certificate CN validation gives wrong error.

752755

Customized SAML Token Login page's pre-existing pollTokenAuthResult JS broken after upgrade to 6.4.0.

742719

CPU usage 100% after clicking LDAP server in GUI in a customer setup (and GUI timeout).

755701

ESX deploy script.

753032

IdP logins for SP throwing SQL errors on missing session.

753060

User simultaneously created duplicate IdP session - resulted in broken session.

752753

System Access inaccessible if web certificate /CA are missing.

554763

Frequent CSRF errors when using HTTP authentication.

752747

LDAP sync appears to be updating every user record, including unmodified ones.

750732

Login activity not relayed from LB nodes to Master (for user expiry, etc).

740202

Better error-reporting when trying to restore a config which is for a different model.

735652

Unnecessary deletes on load-balancer causes really long re-sync delays.

752242

Logs: FortiAuthenticator should log details when FIDO registration fails.

753921

Change label wording for "Pre-Login Services "==>" FIDO Revocation".

752226

FIDO: "Clear all Keys" should delete the keys.

744134

FortiAuthenticator should show "FIDO" in the token column of user page if user has registered a FIDO token.

751543

FTC- user_ip field in auth request is using Country value instead of IP.

744287

OpenSSL 1.1.1l security fixes -- August 2021.

747232

Pillow--- Precaution upgrade.

718365

HA Cluster not able to access management port IP.

739187

REST API authentication for remote user with upper case should not return 401.

758164

Remote RADIUS user case sensitivity is not working properly.

736062

PCI enabled FIDO authentication portal does not work with FIDO user.

737640

Sync rule with multiple OTP assignment methods fails to sync users over if they are missing any one of the LDAP attributes.

745963

Unable to retrieve FIDO token 500 internal server error.

752616

Rephrase label "Every configured password and OTP factors".

576467

Request-URI too long error when we try to export or E-mail large amounts of newly created guest users.

558658

Rephrase timeout error message for timeout in deleting FTC user.

732139

Windows Event Log Sources JavaScript Error.

744577

Cannot import AD user groups as SSO Groups that have '+' in their names.

734462

Extraneous "No search results" message appears under RADIUS Attributes section in user group page.

602248

Migrating a user that already exists causes 500 internal error.

743645

Cannot change the name of local users realm.

739542

Remote RADIUS users with duplicate name REST API call cause 500 errors.

603411

Exporting guest users phone number format incorrect.

736652

New self service portal does not prompt for token resync, allows access with drifted OTP (when within configured window).

734474

LDAP users are able to enable security question through Self-Service portal without actually setting a security question.

732406

Editing security question results in duplicate UI in the pop-up.

731214

500 Internal server error when end user has duplicate certificate bindings.

680974

"Forgot password" option does not work on portal when user is temporary locked.

736020

"None" option for token assignment missing in self-service portal MFA page.

736017

Revoked FIDO token should display time in local time and not UTC.

737638

Missing username in Oauth Request causes 500 server error.

734475

"Internal Server Error" when local user enables security question without setting the security question through captive portal.

579174

FortiToken mobile for a remote radius user on the FortiAuthenticator server and also on the FortiAuthenticator client fails to work.

712166

SCEP gives wrong validation message if "Renewal Days" expiry is left empty.

739570

Unable to create RADIUS attribute matching when creating a RADIUS policy.

734034

Cannot see MAC devices limit in portals settings for Firefox.

734892

FIDO popup message when saving user local information.

758463

FIDO key registration failing first try on iOS 15.1.

761747

Force password change not working when FIDO is enabled in portal policy.

751208

FortiAuthenticator cannot support "mschapv2" as password encoding format for the RADIUS client.

736670

api/v1/ssoauth/ API request returns 500 internal error occassionally.

749559

Windows AD computer authentication option missing from RADIUS policies.

743629

Remote RADIUS user takes longer than 30 sec to verify the deny process.

744073

FortiGate fails to get FSSO list from FortiAuthenticator if the login user group belongs to OU with special characters like +EU.

701758

Problem setting static IP address on a FortiAuthenticator-VM installed on a XenServer.

761875

In the captive portal, when a wrong token code is entered, FortiAuthenticator does not display any error message and just redirects to the login page.

763503

Remote user sync rule does not work with email/FTC 2FA.

762263

PCI mode's behaviour for user without FIDO enabled is incorrect.

762268

Password change not working for remote LDAP users.

603510

Memory usage is High.

763803

LB sync is broken for MAC devices if it is associated to a non-synced user.

746715

Optimize introduction of Load Balancing node(s) to an A-A Cluster to provide high availability.

760305

CLI's "exec ha-rebuild" does not work; cannot find required binaries in PATH.