FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
cborgato_FTNT
Article Id 194250

Description
This article explains that FortiAuthenticator doesn’t store any password.

Solution
Since version 4.3 (or even before), FortiAuthenticator has the feature where users can change their AD passwords as required.

A few tickets have been raised about how FortiAuthenticator stores the password locally, scope of this article confirm that FortiAuthenticator is actually a proxy and doesn’t store password locally.

Example

Go to: FGT (RADIUS) -> FAC (Secure LDAP) -> AD Server

1) Configure LDAP server in FAC, enable secure LDAP, and joined FAC to Windows AD domain

2) RADIUS client has been configured to 'Use Windows AD domain authentication'

3) RADIUS authentication request uses MS-CHAPv2

4) Enabled password renewal in RADIUS client on FGT:

#edit "AD-RAD"
set server "1.2.3.4"
set secret ENC …
set auth-type ms_chap_v2
set password-renewal enable 
next
end

Possible experience behavior:  When user changes its password, for example (Password1) to a new one (Password2), right after the change, the user can still log successfully with the first password (Password1), after about a minute or so, then the user can only log in with the new password (Password2) as expected.

Explanation: Such behavior might induct customer to think that FortiAuthenticator stores password locally and can be a cause of the delay on synchronization with new password between FortiAuthenticator and DC Server.

FortiAuthenticator doesn't store a copy of the password. It is just a proxy for the password validation against AD. Therefore, the explanation of such delay must be look for on the AD server side instead.

 

Contributors