Monday, June 13, 2022

FortiClient - RSA New Pin Is Wrong (-7201) error

This message is somewhat misleading.


One of our users was attempting to login to the VPN and their Active Directory password had expired.
When they tried to follow the steps to enter their new password they received the above error message.

The root cause was that the new password they were trying to use did not meet the Active Directory password complexity requirements.

So while the error message itself is pretty generic it appears that this is simply what is returned from the back-end Radius server. Not much the Fortigate can do to further interpret the error.
It would be up to the Radius vendor to send a more descriptive error message.

Wednesday, March 23, 2022

Problems with FortiClient 7.0.2 and Firefox

 We noticed during recent testing that FortiClient 7.0.2 has an issue with Firefox, specifically any Google services such as Google Search and GMail.

While web-filtering was enabled on the client an initial access to Google would work in Firefox, however after a minute or so nothing would happen when trying to refresh the browser session.

The root cause appears to be related to 0RTT (Zero Round Trip Time) and only affects Firefox but not other browsers. Fortinet has tracked this as bug ID 766869.

The issue is resolved in FortiClient 7.0.3 and a workaround is to disable 0RTT in Firefox using the following procedure:

Firefox browser window:

  • about:config
  • Search for security.tls.enable_0rtt_data
  • set the value to false