Skip to main content
summercoke
summercoke
New Member
January 12, 2016
Solved

traffic log cannot display user id in FSSO

  • January 12, 2016
  • 1 reply
  • 12025 views

Dear All,

I am setting a test policy that required FSSO AD authentication.

I have done the following successfully

1) LDAP Server created successfully and test was success 2) Single Sign-On Created sucessfully with status connected. 3) FSSO using DC-Agent is installed successfully in my DC

verified from CLI

[FORTIGATE] # diag deb auth fsso server-status [FORTIGATE] # Server Name Connection Status Version ----------- ----------------- ------- FORTINET_AGENT1 connected FSSO 5.0.0241

but when i do the following :

[FORTIGATE] # diag deb auth fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----

it seems to me that the FSSO agent is not working successfully

i verified the data of the logon users in FSSO Agent i can retrieve a list of AD users that is logon in my environment.

i double checked all the steps and configuration. everything is as per specified in official guide.

what went wrong here ?

any pointer ?

    Best answer by summercoke

    Dear Ludwig,  please consider this case solved (at leased for me).  as i have finally discovered the root cause of the problem.  it is the directory access mode.  the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format.  after changing the method to advance, the logons are all displayed successfully in my firewall

    1 reply

    it9
    it9
    New Member
    January 14, 2016

    hi summercoke, 

     

    i use a fortigate 100D active-passiv cluster (Firmware v5.2.5,build701) where i enabled the SSO Authentication via Eventlogging polling (i fallowed this video: http://video.fortinet.com/video/88/setup-fortinet-single-sign-on-fsso-in-polling-mode-fortios-v5-0) and now i have excact the same problem.

     

    at first everything was working fine but then i changed the SSO Agent IP Adress to the DNS-Name of the DC (at the firewall configuration) and so the problem (that no new user information comes to the firewall) occurs. 

    at the DC the Collector Agent has all logon/logoff events in his logfile. 

     

    I did the same diagnose (http://docs.fortinet.com/uploaded/files/1044/fortigate-troubleshooting-40-mr3.pdf) :

     

    ip17-17-FortiGate-100D # diagnose debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- vm322 connected FSSO 5.0.0242

     

    ip17-17-FortiGate-100D # diagnose debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----

     

     

    (not sure if this command is appropriate in this case) ip17-17-FortiGate-100D # diag debug fsso-polling detail fsso daemon is not running

     

     

    at the DC i found this error in C:\Program Files (x86)\Fortinet\FSAE\CollectorAgent.log: "01/14/2016 16:04:13 [ 5372] error prase file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgentSyncID.dat"

     

    i didn't found a solution for the problem. did you? anyone? :)

     

    Greetings from Austria

    Ludwig

    summercoke
    summercokeAuthor
    New Member
    January 15, 2016

    from my research and reading thus far .... all advise is against the use of polling method and use FSSO Agent and DC agent installed in every single DC. 

     

    i already done that still same problem persists. no reading in user manual or guide have extensive info in troubleshooting using CLI ... 

     

    i guessed it is something go to do with NTLM authentication perhaps ... but even I set it in policy that required user identity the problem still persists. 

     

    the web pages just stuck, nothing is capture in traffic log, not even blocked message. 

    Terms & ConditionsAccessibility statement