Skip to main content
MarkosP
MarkosP
New Member
March 27, 2026
Question

FSSO CA agents on 2 DCs catching different logons (WMI polling)

  • March 27, 2026
  • 4 replies
  • 254 views

Hello.

I've deployed FSSO CA agents on 2 domain controllers (same domain) to enable HA from FGT.

I have not deployed the DC agents.

 

Configuration of both CAs is identical, both monitoring the same 2 DCs using WMI polling.

 

The problem is that 'show logon users' on both CAs shows different information .... some logons are shows in both CAs, some only on either one. Refreshing/clearing the logon cache doesn't help.

 

Any ideas what could be wrong?

4 replies

AEK
SuperUser
AEK
SuperUser
March 29, 2026

Hi markos

  • Are you monitoring the same groups on both?
  • Are you using the same domain user for both agents?
  • Is there any firewall configuration on the DC that allows one agent IP to access some services and block the other agent IP?
  • Can you try keep only one same DC on both agents and check if they see the same logged-on users?
  • Also use the agent synchronization feature to ensure having exactly the same config on both.
AEK
MarkosP
MarkosPAuthor
New Member
March 30, 2026

There's no group filter. Same domain user. FW configuration is identical too, required ports between the DCs are open (as listed here https://community.fortinet.com/t5/FortiGate/Technical-Tip-List-of-TCP-and-UDP-ports-used-by-the-FSSO/ta-p/194130). I've changed the config to monitor only DC1 from both DCs ('DC1', 'DC2'), no logons shown on DC2 for DC1. 

 

I've turned on debug logging and this is in the log (on DC2):
03/30/2026 08:59:07 [ 5416] [I][LSPoller]DoPolling(ip=0A0815AC, host=<domain>/DC1.<domain_dns>)-->
03/30/2026 08:59:07 [ 5416] [D][CWMIEPPoller]Start to poll Active Directory sessions.
03/30/2026 08:59:07 [ 5416] [F][CWMIEPPoller]Failed to initialize WMI interface
03/30/2026 08:59:07 [ 5416] [D][WMIPoller]query takes 0 milliseconds
03/30/2026 08:59:07 [ 5416] [D][WMIPoller]Total 0 log event has processed
03/30/2026 08:59:07 [ 5416] [D][EPPoller]Finish to poll Active Directory sessions

 

I've then reversed the monitored DC (ie. DC2 is monitored) and the same error (Failed to initialized WMI interface) appeared on DC1.

Any ideas what's causing this? Basic WMI/CIM connectivity between the DCs is working fine. I should mention that the service account used is not a Domain Admins member. I've assigned it the filesystem and registry permissions as documented here https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-a-Fortinet-Single-Sign-On-Agent/ta-p/198065 and also made it a member of the Event Log Reader group on the DCs. Since these are DCs, are any other permissions required?

AEK
SuperUser
AEK
SuperUser
March 30, 2026

Please try with domain admin just to see if it helps.

AEK
MarkosP
MarkosPAuthor
New Member
March 31, 2026

Yea, it works under a DA account, any idea what additional permissions does a non-DA account need then?

CovenantTech
CovenantTech
New Member
March 31, 2026

In my setup I have FSSO on 2 domain controllers as well

Make sure in the FSSO Agent Configuration on each server you set the Sync Config with other agents and set to auto detect collector agents and the ip of the other server - do this on both servers;

Also must have working mode the same on both servers, so dc agent on both 

When you click Show Monitored DC's in the FSSO configuration then you should see both dc's listed. 

Don't forget to open any ports in your firewall needed for fsso communication

When setting up Set Directory Access Information you might consider using Advanced because it supports nested groups

MarkosP
MarkosPAuthor
New Member
March 31, 2026

If you read my original post, you'll notice I don't use DC agents, hence the polling mode. Configuration is identical and I've synced the configs too. DCs are listed just fine, as well as required ports are open. It's apparently a permissions issue, just don't know which permissions are missing yet.

AEK
SuperUser
AEK
SuperUser
April 1, 2026

Here is the tech tip. I always use it and it works fine.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-a-Fortinet-Single-Sign-On-Agent/ta-p/198065

AEK
Terms & ConditionsAccessibility statement