Article
| Description |
Application User forces to log-off the current user on FSAE and access through the FortiGate is blocked. |
| Components |
- FortiGate units using FSAE.
|
| Steps or Commands |
Some applications may use a specific username to access to certain resources on the intranet or on the Internet.
Third-party anti-virus updates is an example.
The
current user is then forced to log-off from FSAE and the Application
User is used with different rights applied to the connection, causing
sometimes problems to the normal user activity.
What happens is the User Logon Account in the FSAE user list is replaced by the Service Account. The User Logon Account belongs to a group you have configured for authentication on the FortiGate unit, while Service Account does not.
To verify, first find out the Service Account for that particular application.
- On the PC, go to Start> Settings> Control Panel> Services.
- Select the application and view its properties.
In the example below, Domain Administrator is logged on as the Service Account.
If the user logs on with a different User Account than the Service Account, chances are the User Log on Account in the FSAE user list is now replaced by the Service Account.
You can also follow additional troubleshooting steps outlined below to see that the User Logon Account in the FSAE user list is replaced by the Service Account.
- Logon to a PC using Domain Logon User Account: fsae_user who is in the Windows AD User Group.
- The Collector Agent sends this logon information to FortiGate unit and the user fsae_user can use the firewall policy to access the Internet.
FTG60_1 # diag debug auth fsae list
FTG60_1 # message_loop: checking timeouts
----FSAE logons----
IP: 192.168.17.201 User: fsae_user Groups: IHOMIK/Domain Users+IHOMIK/FSAE_User_GLB_Security_GRP+IHOMIK/Domain
Admins+IHOMIK/CERTSVC_DCOM_ACCESS+IHOMIK/Administrators+IHOMIK/Users
Total number of users logged on: 1
----end of FSAE logons----
- From the same PC, start an application. For example, an Wireless Configuration application uses Administrator as the Service Account.
- The Collector Agent now sends "Administrator" to the FortiGate unit.
FTG60_1 # diag debug auth fsae list
FTG60_1 # message_loop: checking timeouts
----FSAE logons----
IP: 192.168.17.201 User: Administrator Groups: IHOMIK/Group Policy Creator
Owners+IHOMIK/Domain
Users+IHOMIK/Schema Admins+IHOMIK/Enterprise Admins+IHOMIK/Domain
Admins+IHOMIK/ExMerge+IHOMIK/CERTSVC_DCOM_ACCESS+IHOMIK/
Administrators+IHOMIK/UsersTotal number of users logged on: 1
----end of FSAE logons----
- fsae_user lost Internet connectivity because this account is now replaced by Administrator which is not in the Windows AD User Group.
There are a couple of solutions to circumvent this issue.
Solution 1
On the same PC, please ask the user (fsae_user) to re-logon to the Windows AD. After the logon, the User Logon Account should again be in the FSAE user list on the FortiGate unit, and he should be able to access the Internet again.
Solution 2
You may also include the Service Account (Domain Administrator, in the example) in the FSAE Global Ignore User List from FSAE Collector Agent Configuration so this account is never sent to FortiGate.
|
Related Articles
Technical Note : FSAE Troubleshooting Guide
