Fortinet SSO (DC Agent Mode) and AuthLite break each other
When Fortinet SSO Agent is installed on a DC and running in "DC Agent" mode instead of Polling mode, AuthLite is prevented from working. Whichever product was most recently installed (or repaired) will function, and the other will not.
Windows provides only one "Auth0" registry hook under HKLM\System\CurrentControlSet\Control\Lsa . AuthLite absolutely requires this to function, but Fortinet can be run in Polling mode instead.
Install the LSA Multiplexer on every DC, and restart. This watches the Auth0 hook and makes sure it remains set to the multiplexer. Then it calls dcagent (Fortinet) followed by AuthLite. So both can work correctly.
Switch to Polling Mode in Fortinet
- Remove DC Agent
- Uninstall AuthLite MSI on the DC (you can SKIP this reboot)
- Install AuthLite MSI again to set the hook properly
- Now reboot the DC