Technical Tip: Start processing FSSO logon events with UPN attribute

FortiAuthenticator is configured with the UPN attribute in a Remote LDAP Server:

There is a new field to adjust - 'Username attribute' in General FSSO settings, which can be configured with the attribute name expected by FortiGate, this field started being available from the FortiAuthenticator firmware version 6.6.0.

By default, this option is empty, and FortiAuthenticator sends a logon event using the sAMAccountName attribute.

Also, starting from version 6.6.0, FortiAuthenticator uses the sAMAccountName on an LDAP user search, even the Remote LDAP Server is configured with the UserPrincipalName attribute.

Example with screens.

1. Remote LDAP server settings:

2. Under SSO -> General Settings, the option 'Username Attribute' is adjusted with the UserPrincipalName attribute.

3. Logged on to the workstation using: samacc-upn@fortinet.lab' (logon event on Windows DC appeared with sAMAccountName):

03/24/2024 16:14:33 [DAD276C0] DC/TS Agent [INFO]: LOGON 2024-03-24-15:14:36/2024-03-24-15:14:36 TS Agent (null):172.20.20.3/172.20.20.3;[3301->3500] fortinet.lab/samacc
03/24/2024 16:14:33 [DAD276C0] Group Cache [DEBUG]: try to find fortinet.lab/samacc
03/24/2024 16:14:33 [DAD276C0] Group Cache [DEBUG]: try to find user fortinet.lab/samacc and found fortinet.lab/samacc((null))
03/24/2024 16:14:33 [DAD276C0] Group Cache [INFO]: cache item found but expired: fortinet.lab/samacc
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Looking up group info for fortinet.lab/samacc from DC=fortinet,DC=lab
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Trying to find a Global Catalog connection in domain fortinet.lab.
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Successfully connected to ldap://172.20.20.2:3268 as fortiadmin
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Try LDAP search for 'samacc': base:DC=fortinet,DC=lab
filter:(&(objectclass=user)(sAMAccountName=samacc))
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Found 'samacc' in LDAP search in domain DC=fortinet,DC=lab: CN=account Name,CN=Users,DC=fortinet,DC=lab
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Try LDAP search for '\01\05\00\00\00\00\00\05\15\00\00\00\B8\B6\3F\14\30\6F\E9\60\6A\08\A4\FB\01\02\00\00': base:DC=fortinet,DC=lab
filter:(&(objectclass=*)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\B8\B6\3F\14\30\6F\E9\60\6A\08\A4\FB\01\02\00\00))
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Found '\01\05\00\00\00\00\00\05\15\00\00\00\B8\B6\3F\14\30\6F\E9\60\6A\08\A4\FB\01\02\00\00' in LDAP search: CN=Domain Users,CN=Users,DC=fortinet,DC=lab
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Found primary group CN=Domain Users,CN=Users,DC=fortinet,DC=lab
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Found group CN=Users,CN=Builtin,DC=fortinet,DC=lab
03/24/2024 16:14:33 [DAD276C0] Domain Manager [DEBUG]: Found user (samacc) groups in domain fortinet.lab along with universal groups
03/24/2024 16:14:33 [DAD276C0] Group Cache [DEBUG]: try to add fortinet.lab/samacc
03/24/2024 16:14:33 [DAD276C0] Group Cache [DEBUG]: try to find user fortinet.lab/samacc and found fortinet.lab/samacc((null))
03/24/2024 16:14:33 [DAD276C0] Group Cache [INFO]: try to remove fortinet.lab/samacc((null))
03/24/2024 16:14:33 [DAD276C0] Group Cache [INFO]: try to add fortinet.lab/samacc(samacc-upn@fortinet.lab)
03/24/2024 16:14:33 [DAD276C0] Group Cache [INFO]: added (replaced existing one): fortinet.lab/samacc
03/24/2024 16:14:33 [DAD276C0] DC/TS Agent [DEBUG]: Checking whether user fortinet.lab/samacc is in the exclusion list
03/24/2024 16:14:33 [DAD276C0] Exclusion List [DEBUG]: Looking up user CN=account Name,CN=Users,DC=fortinet,DC=lab [3,1] in exclusion table
03/24/2024 16:14:33 [DAD276C0] DC/TS Agent [DEBUG]: user samacc-upn@fortinet.lab group info: CN=account Name,CN=Users,DC=fortinet,DC=lab+CN=Users,CN=Builtin,DC=fortinet,DC=lab+CN=Domain Users,CN=Users,DC=fortinet,DC=lab
03/24/2024 16:14:33 [DAD276C0] Session Manager [DEBUG]: Received new logon (WS: TS-Agent@172.20.20.3:00000005) for user fortinet.lab/samacc-upn@fortinet.lab. Processing.
03/24/2024 16:14:33 [DAD276C0] Session Manager [DEBUG]: User fortinet.lab/samacc-upn@fortinet.lab not found in session table, creating new session
03/24/2024 16:14:33 [DAD276C0] SSO Generic User [DEBUG]: Looking up SSO configuration for user fortinet.lab/samacc-upn@fortinet.lab
03/24/2024 16:14:33 [DAD276C0] SSO Generic User [DEBUG]: Setting default maximum concurrent sessions for user fortinet.lab/samacc-upn@fortinet.lab to 0
03/24/2024 16:14:33 [DAD276C0] Session Manager [DEBUG]: Found SSO configuration for user fortinet.lab/samacc-upn@fortinet.lab [3], max sessions: 0
03/24/2024 16:14:33 [DAD276C0] Session Manager [DEBUG]: Adding new user session for user fortinet.lab/samacc-upn@fortinet.lab to session table
03/24/2024 16:14:33 [DAD276C0] Session Manager [DEBUG]: Successfully created a new user session for fortinet.lab/samacc-upn@fortinet.lab [3] with 1 current logon: TS-Agent@172.20.20.3:00000005
03/24/2024 16:14:33 [DAD276C0] Session Manager [DEBUG]: Currently at 1 FSSO users out of maximum 100 allowed
03/24/2024 16:14:33 [DAD276C0] Logon Cache [DEBUG]: Successfully added logon item TS-Agent@172.20.20.3:00000005/172.20.20.3;[3301->3500] [fortinet.lab/samacc-upn@fortinet.lab] to vdom cache 'Default'
03/24/2024 16:14:33 [DAD276C0] Logon Cache [INFO]: Added new logon, workstation:TS-Agent@172.20.20.3:00000005 ip:172.20.20.3;[3301->3500] user:fortinet.lab/samacc-upn@fortinet.lab

4. FortiGate's user list: