Using FortiAuthenticator To Perform Account Self Service For AD
I was asked a question on the FortiAuthenticator 4.0 Admin Guide about whether or not the FortiAuthenticator was needed in order for a FortiGate to communicate and authenticate with Windows Active Directory. The answer to that question is a resounding “NO” but it did remind me of a neat trick the FortiAuthenticator does provide when deployed in a LDAP environment. I like to call little things like this configuration the key to #FortiSuccess
When a FortiAuthenticator is deployed in a Windows Active Directory environment and it’s service account (the account you created for it to use when authenticating to AD in order to perform service tasks and lookups) has permissions to read and write to update passwords, you can utilize the FortiAuthenticator self service portal for your users in order to perform AD password resets.
We all know, having worked in help desk style environments before, that one of the most frequent trouble tickets a service desk receives is the dreaded password resets due to users forgetting their credentials.
So buy a FortiAuthenticator, deploy it in your environment, and utilize it for self service so that you can reduce your help desk work load and overhead!
I deployed this configuration for a large university and they were able to greatly reduce the work load and needs of their help desk and at the same time caused their users to feel empowered.
The FortiAuthenticator 4.0 Documentation will tell you everything you need to know to deploy this setup. Specific Password Recovery configurations can be viewed on PAGE 4 of that same documentation.
Hi, thank you for the article.
Is it still working on version 4.2.1? I can find the password recovery for the local users only. Remote users (LDAP – Windows AD) are not supported. You can change the password but if you forgot the password you cannot reset or send a new one.
Error: User[xxxxxx] is a remote user. Password reset is not supported.
Let me set something up in my lab and give it a whirl.
Have you any updates on this? I was able to sync ldap users as local to enable this, but it only appears to reset the local password, as of version 5.0