Part 1: When installing the Fortigate Single Sign-On Agent you need to configure the service account as a local admin on the server where it's being installed. Fortinet support states that the account has to be a domain admin, but I have confirmed that it only needs local admin rights, and not domain admin rights.
Part 2: When installing the Duo Authentication agent on a server to use multi-factor authentication with a Fortigate, it uses port 1812 to communicate with the Fortigate for Radius authentication. If you have already installed the Fortigate SSO Agent on that same server it will already be using port 1812 to communicate with DCs on the network. This will cause the Duo agent to fail to start each time you attempt to start the service.There are a couple of possible fixes to this:
- Change the port on the Fortigate SSO agent to another port (1813). This will also require that you specify that port on the Fortigate DC Agents installed on your domain controllers.
- Change the port used by the Duo agent to another port. This can be done in the configuration file found in the Duo installation directory. This will also require that you change the default Radius port on the Fortigate via CLI to match what you specified in the Duo configuration. This may cause issues if your Fortigate uses multiple Radius clients/agents.