Skip to main content
bca
bca
New Member
January 18, 2018
Question

FSSO keeps disconnected

  • January 18, 2018
  • 2 replies
  • 28231 views

Hi everybody I'm currently trying to set up single sign on, and things are more painful than I initially thought. I'm currently running 5.6.3 FortiOS version on Fortigate 201E appliance. My goal is to retrieve user logon from LDAP server so that I can use FSSO feature in my rulebase, allowing users to authenticate their windows session and then be authorized through the firewall according to the policy base.

For this I want to use the polling method, avoiding to install additionnal software on the customer AD server. So first, I have configured my LDAP server "User and Device -> LDAP Server -> create new" which is OK ("Test Connectivity" button says "Successful")

 

Then I try to configure User and Device -> Single Sign On part, but here is where it fails. I put a name on my SSO configuration, then I reuse the same credentials than those used in LDAP server (I guess this is what needs to be done), and I enable polling I can see the users tree appearing, but when i go back on meny User and Device -> Single Sign On, i see a status "Disconnected" If I make a packet capture, I see the firewall establishing a tcp connection with LDAP server, which succeeds, but then the fortigate send a SMB negotiate protocol Request that is immediatly TCP reseted by the LDAP. My customer asked me which SMB version fortigate used but I didn't find this information. It is several days that I'm breaking my brain on this, so your help would be highly appreciated :) I'm sorry that I couldn't insert more pictures but it seems that only 1 attachment is authorized per post. Thanks per advance  Benjamin

2 replies

bca
bcaAuthor
New Member
January 19, 2018

Hello dear all

 

It seems that we found out the solution.

We reproduced the configuration in our lab, and we disabled SMBv1 on the Active Directory server, and obtained the same symptoms.

So it appears that the Fortigate uses SMBv1 for Active Directory polling.

I didn't find the way to force v2 on the 201E, if anyone has this information...

 

Thanks per advance

 

Regards

 

Benjamin

FortiBoris_FTNT
Staff
FortiBoris_FTNT
Staff
March 7, 2018

Hi Benjamin,

I've been under the impression that this is now fixed with 5.6.3 GA. I've troubleshooted with these commands:

diagnose debug application fssod -1

dia deb fsso-polling detail 1 dia deb fsso-polling client

diagnose debug authd fsso list

 

On my SMBv2 enabled (SMBv1 disabled) Windows AD Server it works fine now; status=connected. Also, if possible make a packet trace on the interface where the AD server is, I've spotted some authentications errors on my side..

 

Cheers,

B.

bca
bcaAuthor
New Member
March 8, 2018

Hi Boris

 

Thank you for your feedback.

What is version 5.6.3 GA ? I only know about 5.6.3.

Anyway we finally installed a collector agent and the topology works fine now, CA is much more flexible than simple polling.

 

Regards

 

Benjamin

arismonty_beato
arismonty_beato
New Member
April 24, 2018

Hello All,

 

I was having issues with FSSO disconnected after upgrading to FortiOS 5.6.2 and then 5.6.3.

 

While reviewing the CLI options I realized that *port is required but it wasn't set, so when I entered the command set port 8000 (the port number that you have configured in the collector agent), it connected immediately.

 

config user fsso

edit YOURFSSO

set port 8000

set server a.b.c.d

set password yourpassword

 

 

Hope this helps,

 

Arismonty

Dominican Republic

 

 

 

 

 

 

 

 

Chris_Colantonio
Chris_Colantonio
New Member
November 26, 2019

For giggles, try a domain admin for user in the SSO Server setup. You can leave your ldap server user alone.  It's not optimal for security reasons or password expiration reasons... but that's how I got it to work. You may need to refresh SSO server listing screen even after applying.  I couldn't find where to apply the right ntfs permissions on the DC to lock it down. 5.6.11

 

Terms & ConditionsAccessibility statement