This article describes why an error message: 'NT_STATUS_PRIVILEGE_NOT_HELD' FortiAuthenticator is receiving, while trying to read and poll user logon events from DC.
Checking the https://fac-fqdn-or-ip/debug/fsso-agent, it is possible to see issue regarding the Windows event log polling.
SSO is properly configured on the FortiAuthenticator, but SSO sessions are not displaying.
Windows Event Log Source is not able to connect.
For further troubleshooting, run packet capture will be run through FortiAuthenticator CLI.
> execute tcpdumpfile -i any host 10.0.0.1 and host 10.0.0.100
Reproduce the issue and catch packets.
When it is finished, back on CLI and press CTRL + C, to stop packet capture. Then navigate to https://fac-fqdn-or-ip/debug/ and from drop down Service list, select CLI packet capture at bottom of the list.
In Wireshark it i possible to see EVENTLOG packets:
DC is responding on FortiAuthenticator’s request with error: 'STATUS_PRIVILEGE_NOT_HELD'.
User used for reading and polling event logs, 'gandalf', seems that does not have appropriate domain privileges.
The user must have read access to the logs using the built in AD security group 'Event Log Readers'.
After assigning user 'gandalf' to AD security group 'Event Log Readers', FortiAuthenticator has started to receive SSO Sessions.