Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff & Editor
Staff & Editor

Created on ‎04-24-2019 03:07 AM Edited on ‎11-12-2025 08:32 AM By Community Manager

Article Id 197780

Technical Tip: Workstation hostname character limit with FSSO scenario

Description


This article describes the workstation hostname character limit while using FSSO authentication when using Standard AD Access mode.

Scope

 

FortiGate.

 

Solution


While using FSSO authentication, FSSO collector agent will resolve the hostname to IP address. During this process workstation hostname characters should not exceed 15 characters. If it exceeds this limit, the DNS resolution will fail.

Expectations, Requirements:

FSSO configuration on FortiGate and FSSO collector agent is configured and working fine.
 
User from 10.40.9.42 will try to log in to the domain controller, the IP and hostname are as follows:
 
Windows IP Configuration:
    Host Name . . . . . . . . . . . . : boson-kvm42-12345
    Primary Dns Suffix  . . . . . . . : dubailab.lab
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : dubailab.lab
 
    IPv4 Address. . . . . . . . . . . : 10.40.9.42(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.240.0
    Default Gateway . . . . . . . . . : 10.40.4.123
    DHCPv6 IAID . . . . . . . . . . . : 50356847
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-AC-58-17-00-62-6F-73-2A-01
    DNS Servers . . . . . . . . . . . : 10.40.9.78
                                        8.8.8.8
 
When user logs in from 10.40.9.42 to Domain controller 10.40.9.78, the DNS records is as follows:
 
 
From the FSSO collector agent logs:
 
resolve_ip_internal: workstation:BOSON-KVM42-123.dubailab.lab [10.40.9.42:0.0.0.0] time:0
04/24/2019 13:18:11 [ 5168] after DNS_checking:BOSON-KVM42-123.dubailab.lab
 
From the DC agent logs:
 
4/24/2019 13:14:05.776: processing Logon (level=1, logonid=0-0) DUBAILAB\BOSON-KVM42-123$ (BOSON-KVM42-123$) from BOSON-KVM42-123
machine account:BOSON-KVM42-123$ is ignored.
 
FSSO DC Agent only records the first 15 characters in the workstation name which causes the domain resolution to fail.
 
This issue is directly related to the Windows/NetBIOS limitation that NetBIOS only supports up to 15 characters in the computer name. If FSSO support for longer host names is required, change the FSSO collector agent to Advanced AD Access Mode, as shown in the article Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode.
Labels:
4137
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.