Skip to main content
Agent_1994
Agent_1994
New Member
January 4, 2017
Question

FSSO: users "no longer logged on" when they still are

  • January 4, 2017
  • 1 reply
  • 7848 views

Hello Forum!

 

 I've been scratching my head with this problem. First, the environment:

[ul]
  • 3 local domain controllers. All of them with the DC Agent.
  • One collector on a VMWare Cluster.
  • FG600 Cluster with some VDOMs.
  • There are users that start processes on workstations and servers (ie: backup), those are added to the "ignore list" on the collector.[/ul]

     Let's say that i log into a workstation (XXX.YYY.5.20) and i can browse the Internet just fine. I can even see myself with this:

     

    FG600C (VDOM_TMG) # diagnose debug authd fsso list ----FSSO logons---- IP: XXX.YYY.5.2 User: MKOLUS Groups: [..removed..] Workstation: SURUBI002.ZZZZZZZZZ.COM.AR MemberOf: Domain Users Usuarios INET Comun Total number of logons listed: 1, filtered: 537 ----end of FSSO logons----

     

    Out of nothing, the Firewall Authentication Screen appears. It can happen in minutes (ie: it was less than five once).

     

     I increased the collector log up to Debug and found this:

     

    01/03/2017 14:34:10 [ 9116] update entry(workstation check): ip:XXX.YYY.5.2:0.0.0.0 create time:1483463797 update time:1483463797 workstation:SURUBI002.ZZZZZZZZZ.com.ar domain:ZZZZZZZZZ user:mkolus group:[..removed..]  01/03/2017 14:34:10 [ 9116] wksta_check: user:ZZZZZZZZZ\mkolus is no longer logged on to SURUBI002.ZZZZZZZZZ.com.ar (XXX.YYY.5.2) 01/03/2017 14:34:19 [ 8972] SURUBI002.ZZZZZZZZZ.com.ar:mkolus[XXX.YYY.5.2:0.0.0.0] removed. current time:1483464859 last update time:1483464850 age:9 timeout:28800

     

     And i *was* logged in. This is happening with many users, and i cant find a correlation (os versión, connection type, etc.). In this case i was RDPing to a Windows Server vía VPN, but this also happens on the wireless and ethernet connections to the corporate network.

     

     Any leads will be appreciated :)

     

     Greets,

     

      • 1 reply

      xsilver_FTNT
      Staff
      xsilver_FTNT
      Staff
      January 5, 2017

      Hi mkolus,

      check surrounding logons made by your user in Collector Agent debug log. It might appear that Collector saw you logged from different place, probably RDP to somewhere from original WKS, and that logon might contained wrong workstation, effectively making you logged off.

      Another possibility: as result is based on workstation check then it failed. There are two WKS check methods, WMI and Remote Registry Service. WMI is by default running, Remote Registry Service is NOT by default running on MSFT OS. If Collector shows users as "not-verified" then their WKS check failed. Check which method you are using. If Remote Registry then service has to be made to start automatically on WKS, and Collector process has to be run under Domain Admins group member account, to be able to open and read remote registry on WKS.

      Of course the issue with logon pop-up might be caused by new data sent from WKS matching FGT policy which is not FSSO but NTLM or something else.

      Best regards,

      Tomas

      Agent_1994
      Agent_1994Author
      New Member
      January 5, 2017

      Thanks in advance, i'll check that out and then follow up in this post.

       

      But now i have an aditional question: Can users be logged on serveral IPs at once? (ie: if i'm using two different computers).

      The collector saw me today logging on the domain controller (dont know why, i wasn't there) and 7 minutes later there was a workstation check that didn't see me logged on the computer i *was* logged on.

      boneyard
      boneyard
      Valued Contributor
      January 6, 2017

      in my experience yes, you can be at two or more IPs at the same time.

      Terms & ConditionsAccessibility statement