Skip to main content
Millibhu
Millibhu
New Member
April 27, 2016
Question

Fortigate 5.2.7 FSSO polling mode authentication problem

  • April 27, 2016
  • 4 replies
  • 19849 views

Hi,

 

I want to implement Internet Access Authentication with FSSO polling mode. I have follow the cookbook

http://cookbook.fortinet.com/fsso-polling-mode/

 

But still not success. Even My PC is join domain it still prompt for username/password

 

could anyone suggest what I can check for next step ?

 

Thank you

 

Mhee

    4 replies

    Fishbone_FTNT
    Staff
    Fishbone_FTNT
    Staff
    April 27, 2016

    Hi Mhee,

    for the sake of your own sanity, please don't use Fortigate's polling mode, unless it's really necessary. There are numerous limitations compared to standalone FSSO CA design. Just from top of my head: - NTLM is not supported

    - only few events are monitored

    - workstation check is not implemented

    - has performance limitations

     

    There are many success stories with standalone FSSO CA, while so few with Fortigate FSSO polling, if you know what I mean. Should I position Fortigate's polling mode in usage, I would mention extra-small designs and demonstration purposes.

     

    If you still need to troubleshoot fsso polling mode (or you are just brave and adventurous), please be sure that you have security events audit enabled on all DC servers, and configured LDAP is really reachable.

     

    If still no success, you can get the idea what's wrong also from your own troubleshooting; for example with debug commands:

     

    # various debug outputs related to fssod daemon

    diagnose debug fsso-polling ?

     

    # enable continuous debug

    diagnose debug console timestamp enable

    diagnose debug application fssod -1 diagnose debug enable

    # disable continuous debug

    diagnose debug reset

    diagnose debug disable

     

     

    Cheers,

     Fishbone )(

     

    Millibhu
    MillibhuAuthor
    New Member
    May 2, 2016

    Hi Fishbone,

     

    Thank you for your information. I implement this in test environment. this solution will deploy for small size office, so I start with polling mode.

     

    I try the debug from your command as below output

     

    -------------------------------------------------------------

    Fortigate-100D # diagnose debug fsso-polling detail AD Server Status: ID=1, name(x.x.x.x),ip=x.x.x.x,source(security),users(0) port=auto username=Admin read log offset=764539828, latest logon timestamp: Mon May  2 13:27:14 2016   polling frequency: every 10 second(s) success(50432), fail(0) LDAP query: success(2), fail(0) LDAP max group query period(seconds): 1 most recent connection status: connected   Group Filter:

     

    The LDAP connection to server seem to be normal. Could you please suggest next step to analyze this ?

     

    Thanks

    Millibhu

    jmichael
    jmichael
    New Member
    February 27, 2017

    Make sure you have Audit account logon events turned on your domain controllers. 

     

    I've been told that this kind of polling is only good for less than 20 users and only one or two domain controllers.  More than that and the system will miss events or struggle with performance.

     

    Hope this helps,

     

    J

     

    louis
    louis
    New Member
    February 28, 2017

    Hello,

     

    WHich version of windows domain controller are you using?

     

    Regards,

    Louis

    sgomes26
    sgomes26
    New Member
    May 16, 2017

    Hello.

    I have this issue after install Antivirus on DCs.

     

    dr_freeman
    dr_freeman
    New Member
    February 21, 2018

    Hi, can someone tell me, what diagnose debug fsso-polling refresh-user actually do?

    Does it only display some status information and statistic with polls or

    refreshes user group information from any server that is connected to firewall with some collector agent?

    fcb
    fcb
    Visitor III
    November 19, 2018

    Does everyone still agree (here in late 2018 and on 6.0.2) that fsso-polling is not the way to go in a larger environment? I have about 750 users across four domain controllers. Everything seems to be working "fair" but seems like it's not showing all of the users yet. I've only had it working for about 6 hours and only around half of the users are showing in a "diag debug fsso-polling" query.

     

    If I go back to the collector agent, will the groups that I already have populated and pointing to the FSSO still work w/o modification? Lastly, how does the unit handle both FSSO with CA and FSSO with polling? Does it just use both? Seems like both would be hard to troubleshoot

     

    Thanks!

     

    dt

     

     

    Terms & ConditionsAccessibility statement