Description
This article describes steps on how to test a Fortinet Single Sign-on Service account using Windows-native tools to determine if the service account has sufficient permissions to access Security Event Logs.
Scope
FSSO.
Solution
Fortinet Single Sign On Agent (aka Collector Agent) acts as a Windows service running under a service account. That service account is used for access to Event Log on remote Domain Controllers. Sometimes, due to security practices, the service account may not be able to access Event Logs on remote Domain Controllers without it being obvious.
To check if the Fortinet Single Sign On Agent service is running, and which service account it uses, these commands may be used in Windows Command Line (cmd.exe):
C:\> sc query | find "Forti"
SERVICE_NAME is Fortinet_FSAE, and this may be used to both verify the service state and find the user account the service is running under:
C:\> sc query Fortinet_FSAE
Service STATE is running in the above image.
To check what account the service is running under, the below may be used:
C:\> wmic service where 'name like "Fortinet_FSAE"' get name,startname,DisplayName
To test the service account permissions, the following steps may be used:
- Generate logins with a test user (sign out of a workstation, and sign in again).
Note: To verify what domain controller the user in question authenticated against (and generated a security event log on), run this command in the user's workstation in Windows Command Line:
C:\> echo %logonserver%
-
Run PowerShell as the service account (run this command in cmd.exe):
runas /netonly /user: administrator@fortiad.net "powershell.exe"
/netonly --> credentials are for remote access only.
"powershell.exe" --> application which will be run under /user: administrator@fortiad.net.
Enter the password when prompted: -
Run this PowerShell command:
Get-Winevent -ComputerName <IP or FQDN of target domain controller> -FilterHashtable @{LogName='Security';ID= '672','673','680','4768','4769','4776','4624';StartTime=((Get-Date).AddMinutes(-20))}| Where-Object -Property Message -Match '<test user>'
ComputerName : ip/fqdn of target DC to check if the service account is allowed to access the security event log.
LogName=Security --> Security event log from DC.
ID= '672','673','680','4768','4769','4776','4624' --> event IDs to be checked (matches the 'Event IDs to the poll: 2' setting in Collector Agent).
StartTime=((Get-Date).AddMinutes(-20)) --> get event logs for the previous 20 minutes; depending on how many security event logs are generated and when the test user login occurred, this value (AddMinutes) may be adjusted up or down for a reasonable response time.
Where-Object -Property Message -Match '<test-user>' --> supply the test user's name (usually sAMAccountName).The resulting output shows if the service account is able to access specified security event logs on the remote host. If this is NOT the case, then the service account has insufficient permissions to access Security Event Logs, and additional privileges might need to be granted.
