Description This article describes possible reasons for Remote User Sync Rules on FortiAuthenticator not assigning two-factor authentication as expected.
Solution FortiAuthenticator can be used to synchronize users from remote LDAP servers. This feature can also be used to automatically assign two-factor-authentication to users as they are synchronized to FortiAuthenticator, allowing bulk assignment and automated assignment for new users.
However, sometimes Remote User Sync Rules can appear to execute, but the Tokens that should be assigned are not actually added to members.
This can have multiple reasons:
1) The user is already synchronized to FortiAuthenticator
If the user(s) that should be assigned a Token via a Remote User Sync Rule already exist on FortiAuthenticator, then FortiAuthenticator skips them when the Sync Rule is executed and no token will be assigned. The user(s) in question could have already been synchronized via the same Rule (if it was modified later to start assigning Tokens) or via a different Rule. This is especially prevalent if the user matches multiple filters defined in different Sync Rules.
To fix this, remove the user(s) from FortiAuthenticator (Delete it under Authentication -> User Management -> Remote Users), then execute the Remote User Sync Rule.
Note: This case does not trigger any error message.
2) There are no users matching the defined filter
This will be visible in the logs after the Remote User Sync Rule is executed; there will be log messages to this effect:
date=2019-09-25 time=15:38:59+0000 oid=635 logid=30303 cat="Event" subcat="System" level="warning" nas="" action="" status="" msg="Sync rule "Forti-test" was aborted because LDAP server "Forti-test (10.5.25.99)" returned an empty result and enforce empty response is disabled. It is not clear whether this is an expected result or a misconfiguration. Please check your configuration." user="" date=2019-09-25 time=15:38:58+0000 oid=634 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="No remote users found for sync rule "Forti-test" on remote LDAP server Forti-test (10.5.25.99)." user=""
3) There is an issue with the Token getting assigned
If there are missing values for the users (like no defined email addresses), Token assignment will fail during Remote User Sync, and the users will not be added on FortiAuthenticator. This is also visible in logs:
date=2019-09-25 time=15:33:43+0000 oid=621 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="Unable to import valid token-based authentication for remote LDAP user marfortinet (rule: FortiTokenTest) @ Forti-test (10.5.25.99)." user="marfortinet" date=2019-09-25 time=15:33:43+0000 oid=620 logid=30303 cat="Event" subcat="System" level="notice" nas="" action="" status="" msg="Cannot assign an FTM token to remote LDAP user marfortinet @ Forti-test (10.5.25.99) without a valid email address." user=""
4) Other reasons
Other issues can also be visible in the logs (Go to: Logging -> Log Access -> Logs) after a Remote User Sync Rule has executed. Should Remote User Sync not assign Tokens when the above steps have been checked, contact Fortinet Technical Support or visit the Fortinet Forums.
