Description
This article describes how to ignore logons created by RDP sessions.
This is a useful feature for cases where Active Directory Administrators (or other users) require access to various computers across the network with their accounts.
Without an RDP override, the act of connecting to the remote desktop would overwrite the original user logon, removing that logon from the FSSO list.
That would result in blocked internet access due to a lack of policy match.
Scope
Windows Server 2022 Standard, Windows Server 2022 Datacenter, Windows Server 2019 Standard, Windows Server 2019 Datacenter, Windows Server 2019 Core, Windows Server 2016 Datacenter ,Windows Server 2016 Standard, Windows Server 2016 Core, Windows Server 2012 Standard, Windows Server 2012 R2 Standard
Windows Server 2012 Core. (Technically this feature worked also on Windows Server 2008 and 2003 , but they are not officially supported by Microsoft anymore).
FSSO standalone Collector Agent (DC Agent [optional]) since build 5.0.0253.
All currently supported Windows Servers are listed in FortiOS Release Notes -> Product Integration and support -> Fortinet Single Sign-On (FSSO).
For example:
Product integration and support
Solution
There are two supported methods to solve this issue:
- Use the Ignore list available in the Collector Agent GUI:
Select the particular user(s) whose logons will be ignored.
Note: This is not suitable for AD accounts that require internet access through identity-based policies as their logons will be completely ignored, meaning no authenticated session will be created in FortiGate. - User RDP override feature in Collector Agent GUI: Go to Show Monitored DCs. Select 'DC to Monitor'. In the bottom left corner, select 'Disable RDP override'.
For this second option to work, the following prerequisites a and b or c must be met:
- In Advanced settings in Collector Agent, the Event IDs to poll value must be: 1 or 2.
- Working mode is: Check Windows Security Event Logs or Check Windows Security Event Logs using WMI.
- DC Agent sends logins to any Collector Agent.
Note:
An RDP override can be done via Collector Agent if WinSec/WinSec with WMI polling is used, or via the DC Agent (needs extra setup, follow reading).
While it is possible to use DC Agent mode it should be noted that users will be limited to using RDP via IP address!
The reason for this is when the user uses RDP via FQDN, the 'Disable RDP Override' option will not work as expected since the DC Agent will be triggered with a logon event that indicates it is Kerberos authentication.
When this happens the DC Agent can not tell if it is a normal user login or if it is an RDP logon and the event cannot be dropped.
This would overwrite the original user logon.
When the user uses RDP via IP address the DC Agent will be triggered with a logon event that indicates it is a NTLM authentication instead, and if 'Disable RDP Override' is checked, the DC Agent will discard this event.
Important:
In an Active Directory environment where NTLM is completely disabled, 'Disable RDP Override' will not work under any circumstances.
DCAgent RDP override configuration:
Note that this is windows registry only, this option is not in DC Agent Configuration Utility (as of 5.0.312 @2024.02).
Under HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent, create a registry value called disable_rdp_override and set its value to 1.
