matanaskovic
Staff
Staff
Description

This article describes why an error message: 'NT_STATUS_PRIVILEGE_NOT_HELD' FortiAuthenticator is receiving, while trying to read and poll user logon events from DC.

Scope FortiAuthenticator 6.4.4.
Solution

Checking the https://fac-fqdn-or-ip/debug/fsso-agent, it is possible to see issue regarding the Windows event log polling.

 

matanaskovic_0-1660297424762.png

 

SSO is properly configured on the FortiAuthenticator, but SSO sessions are not displaying.

 

matanaskovic_1-1660297459547.png

 

matanaskovic_2-1660297463551.png

 

Windows Event Log Source is not able to connect.

 

matanaskovic_3-1660297516205.png

 

For further troubleshooting, run packet capture will be run through FortiAuthenticator CLI.


- FortiAuthenticator VM IP address: 10.0.0.1.
- DC Windows server 2019 IP address: 10.0.0.100.

 

> execute tcpdumpfile -i any host 10.0.0.1 and host 10.0.0.100

 

Reproduce the issue and catch packets.

 

matanaskovic_4-1660297570281.png

 

When it is finished, back on CLI and press CTRL + C, to stop packet capture. Then navigate to https://fac-fqdn-or-ip/debug/ and from drop down Service list, select CLI packet capture at bottom of the list.

 

In Wireshark it i possible to see EVENTLOG packets:

 

matanaskovic_5-1660297635579.png

 

DC is responding on FortiAuthenticator’s request with error: 'STATUS_PRIVILEGE_NOT_HELD'.

User used for reading and polling event logs, 'gandalf', seems that does not have appropriate domain privileges.

 

matanaskovic_6-1660297671946.png

 

The user must have read access to the logs using the built in AD security group 'Event Log Readers'.

 

matanaskovic_7-1660297693591.png

 

After assigning user 'gandalf' to AD security group 'Event Log Readers', FortiAuthenticator has started to receive SSO Sessions.

 

matanaskovic_8-1660297727777.png

 

Related article:

https://docs.fortinet.com/document/fortiauthenticator/6.4.4/administration-guide/454928/fortinet-sin...