Skip to main content
jossmi
jossmi
New Member
August 31, 2015
Question

Agent based FSSO question(s)

  • August 31, 2015
  • 3 replies
  • 9028 views

I am about to deploy Agent based FSSO for the first time. I was planning to deploy the Collector Agent and DC Agent on each of the two domain controllers in the domain to be monitored and the TS Agent on one RD Session Host (terminal server). However, I am confused by the following statement on page 541 of the FortiOS Handbook for FortiOS 5.2.

 

It is best practice to install FSSO agents using the built-in local administrator account.

 

The problem with this statement is twofold. First, there are no local accounts on a domain controller. So, if it is best practice to install the CA on a domain controller, this statement doesn't make sense. Second, if I install the CA on a member server using a local administrator account, the account will not have domain credentials and will not be able to retrieve information from active directory.

 

How do I resolve this conundrum?

 

More questions to follow, I'm sure.

    3 replies

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 1, 2015

    Hello,

     

    Collector is recommended to be run under account who is Domain Admins group member. To get enough rights to run, connect LDAP, make remote registry check on workstations etc. Therefore install under Domain Admins kind of account and you'll be safe with less head scratching.

     

    Kind regards,

    Tomas

    jossmi
    jossmiAuthor
    New Member
    September 1, 2015

    If the use of a domain admin account is recommended, I would like to see the documentation updated to reflect that advice.

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 2, 2015

    jossmi wrote:

    If the use of a domain admin account is recommended, I would like to see the documentation updated to reflect that advice.

    Done already.

     

    For example search KB for "fsso admin" and see article FD36039:

    "In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with a domain admin account."

    http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36039

     

    Or see FSSO setup screen where you are entering account username/password for Collector and read above "please input the user account's name and password. This must be and administrator user."

     

    Or see docs.fortinet.com Authentication guide

    http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf

    "Installing FSSO without using an administrator account

    Normally when installing services in Windows, it is best to use the Domain Admin account, as stated earlier. This ensures installation goes smoothly and uninterrupted, and when using the FSSO agent there will be no permissions issues. However, it is possible to install FSSO with a non-admin account in Windows 2003 or 2008 AD."

    jossmi
    jossmiAuthor
    New Member
    September 2, 2015

    I appreciate the additional references that you provided. However, the reference that I first cited, which appears in both the Authentication Guide and the Handbook, still needs to be changed.

     

    Agent installation

    After reading the appropriate sections of "Introduction to agent-based FSSO" on page 118 to determine which FSSO agents you need, you can proceed to perform the necessary installations.

    Ensure you have administrative rights on the servers where you are installing FSSO agents. It is best practice to install FSSO agents using the built-in local administrator account. Optionally, you can install FSSO without an admin account. See "Installing FSSO without using an administrator account" on page 129.

    Terms & ConditionsAccessibility statement