Skip to main content
clicerioneto
clicerioneto
New Member
July 13, 2021
Question

Poll Active Directory issue after installed the Windows Server update KB5004948

  • July 13, 2021
  • 5 replies
  • 33080 views

Hi,

 

After applied Windows cumulative update KB5004948 in my environment, the Poll Active Directory is appearing the following error:

# diagnose debug fsso-polling detail 1 AD Server Status(err: server can not be accessible):

 

The Fortigate is running with FortiOS 6.2.9.

 

I have opened a ticket with Fortinet support, but I didn't receive yet a reply about the solution to fix this issue.

 

Someone is with this same issue or has a solution to solve it?

5 replies

Donnei_Tsai
Donnei_Tsai
New Member
July 19, 2021

We also have the same issue. but still not resolve. Will call Fortinet Support help to check

bbilut
bbilut
New Member
July 19, 2021

Same issue here.

 

When I look at my domain controller security logs it looks like the login ID is not being reported. It just says NULL SID where the userID should be. Like I said problem started after applying July patches to my DC's.

eti_andrei
eti_andrei
New Member
July 19, 2021

This was fixed in the latest FortiAuthenticator release, so hopefully the same fix will be coming to FortiOS shortly.

clicerioneto
clicerionetoAuthor
New Member
July 19, 2021

I have updated the Windows 2016 servers with the last patch - 2021-07 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5004238), but the issue is not solved. 

 

I'm waiting for Fortinet support about the solution. 

bbilut
bbilut
New Member
July 19, 2021

Your DC's and your FSSO server(s) are patched to July level, both?

clicerioneto
clicerionetoAuthor
New Member
July 19, 2021

I don't use FSSO agent. I only use Poll Active Directory configuration (agentless). The communication is just between DC and Fortigate. My DC's are with the last patch.

xsilver_FTNT
Staff
xsilver_FTNT
Staff
August 13, 2021

That's what I and others found out so far...

Those who opened ticket on Fortinet TAC should know already .. so this is a bit of data for others.

 

In short, those Microsoft patches KB5003646 / KB5003638 / KB5003696 .. and later on Cumulative updates (including those temporary patches), broke FSSO polling from FortiGate and FortiAuthenticator as they changed the way how outer apps can access WinSec data through MSFT API. One sided act.

Affected are all patched versions of MSFT servers .. 2019 - KB5003646 / 2016 - KB5003638 / 2012 - KB5003696 / KB5003638.

https://support.microsoft.com/en-us/topic/june-8-2021-kb5003646-os-build-17763-1999-81e2ff5a-0769-4e56-8762-059dd6e0d6bb

 

FortiAuthenticator was handled in #0725129 bug report

- fixed since 6.3.2 / 6.4.0

- note that those new versions like 6.3.2 should work OK with patched DCs only. Not working with unpatched DCs !

- because that MSFT patch is expected/claimed to stay permanently so more and more DCs is expected to be patched

 

FortiGate local poller was handled in #0725056 bug report

- fixed In  6.2.10 / 6.4.7 / 7.0.2

 

 Win2016 Cumulative update KB5004238 which should now (since release date 2021-0713)  include KB5003638 (according to MSFT Updates catalog change notes)

https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003638

(

Removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for CVE-2020-17049. For more information and steps to enable full protection on domain controller servers, see Managing deployment of Kerberos S4U changes for CVE-2020-17049.

)

Tukan
Tukan
New Member
August 19, 2021

Hi All,

 

I see we are not the only ones stuck with this issue. Since neither 6.2.10 or 6.4.7 are yet released would anybody on the forum here know the release date for 6.2.10 (for 400E)? I need to know what to say to the customer. I don't want to go back to the FSSO agent :(

 

Many Thanks,

 

xsilver_FTNT
Staff
xsilver_FTNT
Staff
August 20, 2021

Tukan wrote:

I don't want to go back to the FSSO agent :(

 

Why not?

To be honest, for small company with just few users (<20) it might be OK to use direct polling from FGT.

But for anything bigger, serious, or with higher logon rate I would definitely go for standalone Collector Agent.

Because it seems to me better solution as: - it has no issue as it is part of domain member machine

- DNS and data about workstations resolved locally on machine (while you still have option for alternative DNS servers) - has its own resources and do not add extra load on FGT RAM/CPU, so FW can do firewalling and not babysitting/gathering of the user data

- scalable and resilient, while only resiliency on FGT is HA

- various user data gathering methods and logging, not just hardcoded WinSec

- various timers on how to handle logons, like dead entries etc.  where FGT has just polling interval AFAIK

- LDAP cache management

- free of charge

 

If I'd sort SSO solutions by preference:

1. FAC (FortiAuthenticator) + FortiClient SSOMA (but FAC is paid solution + you'd need license for SSOMA, but that's best solution IMHO where you can get most accurate SSO data)

2. FAC SSO .. no SSOMA agents on workstations, but still VERY versatile collector inside FAC

3. standalone Collector Agent .. and methods by preference 1. WinSec+WMA 2. WinSec 3. DCAgents .. rest like NetAPI is legacy.

4. FGT .. and I would opt for RSSO if possible and use FSSO direct polling as last resort.

 

So in short, standalone collector is pretty good and stable solution (free of charge, no licenses, no extra HW/VM). Best solution for no extra money.

 

Swapnil_Rane
Swapnil_Rane
New Member
December 21, 2021

Do we have any update on the rsolution of this issue?? We are facing it and need help to resolve.

 

Thanks in advance

SwapnilR 

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
December 21, 2021

Hey Swapni,

as mentioned multiple times in the thread above - Microsoft updated how the event logs may be accessed, in the process breaking polling mode.

FortiOS 6.2.10, 6.4.7 and 7.0.2 contain fixes to the local FortiGate poller to take into account the Microsoft patches.

However, the changes in FortiGate are NOT backward compatible - if you have a FortiGate operating on those versions (or higher), your DCs need to be patched sufficiently to include the mention changes to Security Event logging.
If some of your DCs are patched, and some are not, then depending on the FortiGate firmware version it can either poll the patched or the unpatched ones, but not both.
I would suggest that you ensure your FortiGate is at one of the mentioned versions at least, and your domain controllers have all available updates applied.
If you are looking for additional information or assistance on the FortiGate side of things, please open a Technical Support case.

Cheers!

Philippe
Philippe
New Member
February 22, 2022

I"ve this problem now... i'm investigating it. 

 

now updating all windows dc's. 

 

did you fix it ? 

xsilver_FTNT
Staff
xsilver_FTNT
Staff
February 23, 2022

Hi Phillippe,

Yes FORTINET did fix what Microsoft updates messed up.

Kindly investigate how do you poll DCs (from FGT, through standalone Collector Agent, through Collector on FortiAuthenticator).
Then read this thread for all the details which being said here before.
And apply solution based on your polling method.

 

In short:

if you have latest Microsoft patches on DCs,

then you need latest versions of poller/FOS using those DCs.

 

Philippe
Philippe
New Member
February 23, 2022

KB5009472 
 KB4535680

 KB4577586 
 KB4580325 
KB4589208 
 KB5000859 
 KB5003711 
 KB5010427 
 KB5009642

 

thos KB are installed fw upgrade to 6.2.10 

 

no result :( 

 

the polling connector keeps down : 

AD Server Status(err: server can not be accessible):

 

Terms & ConditionsAccessibility statement