Skip to main content
smkml
Staff
smkml
Staff
July 22, 2025

Troubleshooting Tip: Failed to pull FSSO Connector user group

  • July 22, 2025
  • 0 replies
  • 539 views
Description

 

This article describes how to troubleshoot when failing to pull all User Groups in Fortinet Single Sign-On (FSSO) Connector.

 

failed error.png

 

Scope

 

FortiManager, FSSO.

 

Solution

 

Perform a debug to understand the issue:

 

FMG # diagnose debug service sys 255
FMG # diagnose debug enable

Example output:

 

connected_state[test_fsso]: entering CONNECTED state
_send_pending_requests[test_fsso]: send_grpinfo=0, need_grpinfo=1, need_logoninfo=1
server name = test_fsso, group name = AMI/CLONEABLE DOMAIN CONTROLLERS
server name = test_fsso, group name = AMI/DNSUPDATEPROXY
server name = test_fsso, group name = AMI/DOMAIN ADMINS
server name = test_fsso, group name = AMI/DOMAIN COMPUTERS
server name = test_fsso, group name = AMI/DOMAIN CONTROLLERS
server name = test_fsso, group name = AMI/DOMAIN GUESTS
server name = test_fsso, group name = AMI/DOMAIN USERS
server name = test_fsso, group name = AMI/ENTERPRISE ADMINS
server name = test_fsso, group name = AMI/ENTERPRISE KEY ADMINS
server name = test_fsso, group name = AMI/ENTERPRISE READ-ONLY DOMAIN CONTROLLERS
server name = test_fsso, group name = AMI/GROUP POLICY CREATOR OWNERS
server name = test_fsso, group name = AMI/KEY ADMINS
server name = test_fsso, group name = AMI/LAB TEST
server name = test_fsso, group name = AMI/LAB TEST2
server name = test_fsso, group name = AMI/PROTECTED USERS
server name = test_fsso, group name = AMI/READ-ONLY DOMAIN CONTROLLERS
server name = test_fsso, group name = AMI/SCHEMA ADMINS
server name = test_fsso, group name = AMI/SERVER OPERATORS
server name = test_fsso, group name = AMI/ACCOUNT OPERATORS
server name = test_fsso, group name = AMI/PRE-WINDOWS 2000 COMPATIBLE ACCESS
server name = test_fsso, group name = AMI/INCOMING FOREST TRUST BUILDERS
server name = test_fsso, group name = AMI/WINDOWS AUTHORIZATION ACCESS GROUP
server name = test_fsso, group name = AMI/TERMINAL SERVER LICENSE SERVERS
server name = test_fsso, group name = AMI/ADMINISTRATORS
server name = test_fsso, group name = AMI/USERS
server name = test_fsso, group name = AMI/GUESTS
server name = test_fsso, group name = AMI/PRINT OPERATORS
server name = test_fsso, group name = AMI/BACKUP OPERATORS
server name = test_fsso, group name = AMI/REPLICATOR
server name = test_fsso, group name = AMI/REMOTE DESKTOP USERS
server name = test_fsso, group name = AMI/NETWORK CONFIGURATION OPERATORS
server name = test_fsso, group name = AMI/PERFORMANCE MONITOR USERS
server name = test_fsso, group name = AMI/PERFORMANCE LOG USERS
server name = test_fsso, group name = AMI/DISTRIBUTED COM USERS
server name = test_fsso, group name = AMI/IIS_IUSRS
server name = test_fsso, group name = AMI/CRYPTOGRAPHIC OPERATORS
server name = test_fsso, group name = AMI/EVENT LOG READERS
server name = test_fsso, group name = AMI/CERTIFICATE SERVICE DCOM ACCESS
server name = test_fsso, group name = AMI/RDS REMOTE ACCESS SERVERS
server name = test_fsso, group name = AMI/RDS ENDPOINT SERVERS
server name = test_fsso, group name = AMI/RDS MANAGEMENT SERVERS
server name = test_fsso, group name = AMI/HYPER-V ADMINISTRATORS
server name = test_fsso, group name = AMI/ACCESS CONTROL ASSISTANCE OPERATORS
server name = test_fsso, group name = AMI/REMOTE MANAGEMENT USERS
server name = test_fsso, group name = AMI/STORAGE REPLICA ADMINISTRATORS
server name = test_fsso, group name = AMI/CERT PUBLISHERS
server name = test_fsso, group name = AMI/RAS AND IAS SERVERS
server name = test_fsso, group name = AMI/ALLOWED RODC PASSWORD REPLICATION GROUP
server name = test_fsso, group name = AMI/DENIED RODC PASSWORD REPLICATION GROUP
server name = test_fsso, group name = AMI/DNSADMINS
Fail to add new adgrp (AMI/LAB TEST  ) <----- There is space trailing for the naming.
disconnect_server_only[test_fsso]: disconnecting
get adgrp from fsso server failed

 

From the debug, understand that it failed to pull at the User Group named (AMI/LAB TEST), where it detected that there is a space trailing from the naming in the Active Directory Server.

 

user group name in ad server.png

 

If checking the FortiGate itself, it will not fail to pull the User Group, but it will be ignored and not accept the space trailing naming on the Active Directory Server.

 

fgt pull fsso user group behavior.gif

 

To rectify the issue, all space-trailing names in the Active Directory Server need to be removed and pulled again the Fortinet Single Sign-On (FSSO) Connector.

 

fmg pull fsso after rectified issue.gif

 

Related article:

Technical Tip: Configuring FSSO from FortiManager 

    Terms & ConditionsAccessibility statement