Skip to main content
Tutek
Tutek
New Member
March 10, 2023
Question

Help me configure FSSO with two DC

  • March 10, 2023
  • 5 replies
  • 4750 views

Hi,

I have problem configuring FSSo with two domain controllers DC1 and DC2, DNS priority for all clients is set DC1 then DC2 so all users authenticate on DC1, I have installed collector agents with DC agents on DC1 and DC2, but agent on DC1 is configured to send its data to DC2. On both Collector agents both DC are checked to be monitored for user login events.

Fortigate is connected to DC2 as "Primary FSSO agent"  - and it list AD groups correctly. The problem is almost all logins on DC2 are listed as "Not verified" - I don't know how to fix this.

5 replies

Sheikh
Staff
Sheikh
Staff
March 10, 2023

Hi Tutek,

 

Please try the steps mentioned in the below KB article.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-User-status-Not-Verified-on-the-FSSO/ta-p/195014

 

regards,

 

Sheikh

 

Tutek
TutekAuthor
New Member
March 12, 2023

But what is the problem:  on DC1 almost all domain users in collector agent have status OK, at the same time on the second collector agent od DC2 the same users have status "Not verified".  Both DC are in the same subnet and managed by the same ipv4 fortigate firewall policy.

Tutek
TutekAuthor
New Member
March 10, 2023

Hi,

if collector agent (with configuration user to retrieve logs) is installed on DC2, on DC1 is only installed DC agent (during installation here there is no account configuration responsible for retrieve logs) so what user is used on DC2 to collect login events?

A
Anonymous_User
New Contributor III
March 11, 2023

Hello, 


Fortinet Single Sign On Agent Service is suggested to run with the privileges of a domain admin account. It will assure that whatever mode or feature is selected it will have enough permissions to complete its own task, If you do not want to use domain admin account you follow below link

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Fortinet-Single-Sign-On-Agent-Service/ta-p/198065

 

Tutek
TutekAuthor
New Member
March 13, 2023

Anyone could help me with that, it looks that collector agent on DC1 authorize users, but this authorized users never shows up on DC2 where connector agent is connected to fortigate, and because of that users don't have internet access.

Tutek
TutekAuthor
New Member
March 13, 2023

FSSO on DC2 shows currently logged users: 127

Tutek_0-1678726616724.png

 

At the same time on DC1:

Tutek_1-1678726660735.png

 

As I said both collector share data between each other so everything should be the same.

Markus_M
Staff & Editor
Markus_M
Staff & Editor
March 15, 2023

Hi Tutek,

 

the FortiGate is connected to only one collector. The one collector that is active, will do workstation checks and remove users if they are not logged in anymore.

The Collector that is not active, will not do the workstation checks until it is active. If it was active it will have done until it got inactive.

 

"Not verified" is not directly related as it means that the workstation WAS done BUT failed. The workstation check was unable to verify the user status. Then the user is put to "not verified". That in turn starts the "dead entry timer" (default = 480 minutes).

Hope this clarifies this a bit.

 

Best regards,

 

Markus

 

Tutek
TutekAuthor
New Member
March 13, 2023

Please delete.

 

 

 

Markus_M
Staff & Editor
Markus_M
Staff & Editor
March 15, 2023

and please share what to delete, the post or the whole thread?

Terms & ConditionsAccessibility statement