Description | This article describes the underlying mechanisms behind how FSSO works to help users understand how to troubleshoot issues. Troubleshooting steps are provided. |
Scope | FortiGate, FSSO, FSSO CA, DC Agent, TSAgent. |
Solution |
FSSO follows the basic sequence below:
General FSSO layouts:
FortiAuthenticator as an FSSO Collector or a standalone Collector Agent installed on a domain member host or Domain server itself.
For example: C:\Users\Test>echo %logonserver% \\LABTEST-DC
diag debug authd fsso list | grep X.X.X.X -B1 -A6 <- While this is the IP of the affected user. diag firewall auth list | grep x.x.x.x -B1 -A6 <- While this is the IP of the affected user.
The first command shows the pulled logon info from the FSSO Collector Agent. The second command shows the authenticated user groups on FortiGate.
For example: diagnose firewall auth list | grep -A7 192.168.222.1
192.168.222.1, Test1 src_mac: de:ad:be:ef:ca:fe type: fw, id: 0, duration: 3298, idled: 2 expire: 297, allow-idle: 300 server: LDAP packets: in 459352 out 128544, bytes: in 647744424 out 11044928 group_id: 6 group_name: testldapgroup
192.168.222.1, Test2 type: fsso_citrix, id: 3, duration: 1918, idled: 1918 server: fssotest packets: in 0 out 0, bytes: in 0 out 0 group_id: 5 33554433 group_name: FSSOIT CN=USERS,DC=FORTI,DC=LAB port_range: (1224-1423)
192.168.222.1, Test3 type: fsso_citrix, id: 4, duration: 107, idled: 107 server: fssotest packets: in 0 out 0, bytes: in 0 out 0 group_id: 5 33554433 group_name: FSSOIT CN=USERS,DC=FORTI,DC=LAB port_range: (1424-1623)
Troubleshooting: All failures with FSSO should follow the order above in reverse. If FSSO was operating previously and it failed without any changes, then restart the FSSO via services.msc on the server where FSSO was installed.
Policy needs to have the user with the fitting IP that is matching the policy, but also the group.
The standalone collector agent has a setting for the event IDs that are to be polled, either in a comma separated list or with a set of events. See Technical Tip: Windows event IDs used by FSSO in WinSec polling for more information.
In summary:
The 'user not polled' error describes a problem at step 3 while DNS is step 4. If there is a delay on that information, check:
The Collector Agent debug log contains statistics about the time spent on certain tasks. If DNS is delaying the tasks, similar DNS failures may be seen: check the logs for 'time spent' and consider the statistics lines about DNS and workstation connection.
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.