Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
lmarinovic
Staff
Staff

Created on ‎08-31-2022 08:39 AM Edited on ‎01-31-2025 04:36 AM By Moderator

Article Id 222388

Technical Tip: FSSO events are not collected by FortiGate after upgrade of FortiAuthenticator to 6.4.5 and higher

Description

This article describes an issue where FSSO events are not collected by FortiGate after upgrading FortiAuthenticator to 6.4.5 and higher.
Scope FortiAuthenticator 6.4.5 and higher.
Solution

For example, errors like the following may appear:

 

***
08/26/2022 15:58:32 [3897F700] libfac_comm: SSL server connection failed: sock: 10 error: SSL_ERROR_SSL(1): code=0x1417c0c7: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate;
08/26/2022 15:58:32 [3897F700] FCT session SSL connection failed (IP): SSL_ERROR_SSL(1): code=0x1417c0c7: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate;
08/26/2022 15:58:32 [3897F700] FCT disconnected: IP
***

 

Logs from the Agent:

 

***
8/26/2022 4:00:59 PM Debug SSOMA Start to resolve address for FortiAuthenticator:IP, TICC:832890, TID:1248
8/26/2022 4:00:59 PM Debug SSOMA Succeeded to resolve address for FortiAuthenticator:IP, FAC IP:IP, TICC:832890, TID:1248
8/26/2022 4:00:59 PM Debug SSOMA SendAndReceive(), Local IP:IP, FAC IP:IP, FAC Port:8001, TICC:832890, TID:1248
8/26/2022 4:00:59 PM Debug SSOMA ReceiveServerReply(), failed to receive hello message from authenticator, TID:1248
8/26/2022 4:00:59 PM Debug SSOMA SendAndReceive(), failed to send event to authenticator, TID:1248
***

 

To resolve this error, follow these instructions:

  • In 6.4.5, disable 'Enable encryption' under Fortinet SSO Methods - > SSO - > General.
  • In 6.6.2, disable 'Enable encryption' under Fortinet SSO - > Settings - > FortiGate.

 

FortiAuthenticator now offers a server-side TLS support option so that FortiGate as an FSSO client can be configured to connect to FortiAuthenticator over a TLS connection, and this is enabled by default after an upgrade.

 

Disable this by moving the toggle 'Enable encryption' under Fortinet SSO Methods -> SSO -> General or Fortinet SSO -> Settings -> FortiGate.

 

lazo.PNG

 

Note: Encrypted FSSO on FortiAuthenticator simply uses TCP/8000 (same as unencrypted).
When there is a change in FortiGate connector from unencrypted FSSO with TCP/8000 to encrypted, it automatically changes the port from TCP/8000 to TCP/8001.
458
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.