Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Staff & Editor
Staff & Editor

Created on ‎06-15-2025 01:38 PM

Article Id 396344

Technical Tip: FSSO with two Domains in DC Agent mode

Description

 

This article describes how to configure FSSO authentication for two domains (trust relationship) in DC agent mode.

 

Scope

 

FortiGate, FSSO.

 

Solution

 

Data for this example:

There is a full two-way trust relationship between the two domains.


Domain1:  FORTILABMX.NET

DC1: winad1.fortilabmx.net with ip 10.20.30.1, FSSO-CA and DC_Agent installed, this server will establish FSSO Connector with FortiGate.

DC1_Administrator: fsso 

User1 Test: JohnWick

 

Domain2: FORTIDOMAIN.NET

DC2: admx.fortidomain.net with ip 10.20.30.166, DC_Agent installed

PC2: pcfortidom2 with ip 192.168.201.11

User2 Test: JohnConnor

 

DC2 Configurations.

DC_Agent installed with graphical interface: Technical Tip: How to Install DC Agent Graphical Interface (dc_agent GUI).

Add DC1_Administrator full permissions to the DC_Agent installation directory. This is most commonly in C:\Program Files\Fortinet\.

 

05_permissions.png

06_permissions.png

 

07_permissions.png

Add DC1_Administrator full permissions to the DC_Agent Windows registry key, commonly under is HKEY_LOCAL_MACHINE ->SOFTWARE ->Fortinet.

 

08_permissions.png

Open DCAgent Config as Administrator, then add DC1 IP and enable login.

 

04_RunAsAdmin.png

09_dcagent.png

DC1 Configurations.

 

After install the Fortinet Single Sign On Collector Agent (FSSO-CA) (see Technical Tip: How to install the FSSO Collector Agent), select the Domains to monitor, then select local and trusted domains to monitor.

 

01_SelectDomainToMonitor_A.png

Then, in Advanced Settings -> General -> Workstation name resolution advanced options:

  • Alternative DNS server(s): list all Domain2 DNS server, separated by comma.
  • Alternative worksation suffix(es): list Domain2 suffix.

 

03_AlternativeSufixes.png

 

Finally: show Monitored DC, select DC to monitor, Working Mode, DC Agent Mode, select all DC servers of both domains and then select OK. A prompt will appear for remote dc_agent installation: accept it.

 

02_DC_agent_WorkingMode.png

Results:

User JohnConnor logged in pcfortidom2, user and workstation belongs to the same domain.

 

10_JohnConnor.png

diagnose debug authd fsso list
----FSSO logons----
IP: 192.168.201.11 User: JOHNCONNOR Groups: FORTIDOMAIN/DOMAIN USERS+FORTIDOMAIN/FSSO2+FORTIDOMAIN/USERS Workstation: PCFORTIDOM2.FORTIDOMAIN.NET MemberOf: FORTIDOMAIN/DOMAIN USERS FORTIDOMAIN/FSSO2 FORTIDOMAIN/USERS
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----

 

User JohnWick logged in pcfortidom2. The user and workstation belong to a different domain.

 

10_JohnWick.png

diagnose debug authd fsso list
----FSSO logons----
IP: 192.168.201.11 User: JOHNWICK Groups: FORTILABMX/INTERNET_VIP+FORTILABMX/GROUP1+FORTILABMX/DOMAIN USERS+FORTILABMX/USERS Workstation: PCFORTIDOM2.FORTIDOMAIN.NET MemberOf: grupo1 FORTILABMX/INTERNET_VIP FORTILABMX/GROUP1 FORTILABMX/DOMAIN USERS FORTILABMX/USERS
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----

356
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.