Description
This article expands upon FortiAuthenticator FSSO configuration in the administration guide:
Solution
FortiAuthenticator can act as an FSSO Collector Agent. It supports both polling and agent mode when acting as Collector Agent, same as the independent Collector Agent software.
Both can be enabled under Fortinet SSO Methods -> SSO -> General.
Note.
FortiAuthenticator can also parse RADIUS Accounting Messages and Syslog logs for user logins and add them to SSO.
Also, verify that the interface in question has FSSO allowed:
For Polling Mode, FortiAuthenticator needs to have at least one Windows Event Log Source configured:
For DC Agent mode, the toggle must be enabled, and a listening port specified if something other than tcp/8002 should be used.
In addition, the DC Agent must be installed manually on domain controllers and configured to communicate with FortiAuthenticator.
DC Agent software specifically may be downloaded under support.fortinet.com -> Support -> Firmware Download -> FortiGate -> Firmware -> FSSO folder:
If uncertain what DC Agent version to use, either contact Technical Support or use a version with a similar 'Date Created/Date Modified' value to the FortiAuthenticator firmware.
DC Agents then need to be manually installed on any domain controllers that should forward user logins to FortiAuthenticator.
During the installation wizard, the Collector Agent IP is requested:
Once this is set, the DC Agent should start collecting and forwarding login events to FortiAuthenticator.
Note.
The above may also be set as registry keys, under HKEY_LOCAL_MACHINE -> Software -> Fortinet -> FSA -> DC Agents -> ca.
There should be a registry key for each collector agent.
FortiAuthenticator should then display SSO sessions:
