Technical Tip: FSSO TS-Agent troubleshooting steps

All outputs could be attached to a TAC ticket for further tackling and could be used for the troubleshooting between FortiAuthenticator acting as the FSSO CA, and the TS-agent as well:

1. Verify communication between the FSSO CA and the TS-agent. Sniffer a port between them, the default port is 8002, UDP. The secured connection uses TLS over TCP.
2. Verify if there is no firewall policy blocking the traffic between agents.
3. If the traffic is allowed by firewall policies, verify by disabling the TS-agent installed server’s OS firewall.
4. Verify if there is no antivirus installed on the host, which denies communication between agents. Try to disable it, and test communication.
5. Perform the same steps on the FSSO CA side: disable the OS firewall and antivirus to verify communication.
6. Execute these commands on the TS-Agent installed host console (execute commands as an administrator, 'right click' and select ‘run as administrator’):

netsh int ipv4 show dynamicport tcp
netsh int ipv4 show dynamicport udp

sc query fssota
msinfo32.exe    <----- Save outputs as a file.

7. Reinstall TS-agent using an administrator account.
8. Logon to the TS-agent installed server with a testing user, then:

• Execute a command below with a logged-on user's CMD console, and verify with the domain administrators about enforced GPOs (if there is any):

gpresult /r

• Execute the same command using an administrator account(Keep logon session of the testing user, run as administrator):

gpresult /r

9. Another option is to install a new Windows Server, set up the TS-Agent, and check communication.
10. If nothing is fixed, grab all these outputs to the file, and upload to the TAC ticket.

Related articles:

FSSO - Fortinet Single Sign-On

Troubleshooting Tip: FSSO TS Agent basic

Technical Tip: List of TCP and UDP ports used by the FSSO Collector Agent