There are some restrictions concerning the installation of third-party software on the Windows Active Directory server.

The FSAE or CA has the flexibility to be installed on a PC that belongs to the Windows domain and is dedicated to this task.

Additionally, there is the option to work FSSO in Polling Mode where you only install the FSAE without reboot required and without installing any software on the AD.

 Following the following topology and elements on the Windows Domain (markoz.local):

1. The AD1 and PC1 are the elements already existing on the network. 
2. The FSSOCA can be the new element (PC or a Windows VM) which belongs to the domain.

• Create a user account (fgt_polling) on the AD with privileges of 'Domain Admins' or 'Event Log Readers' group. 
  • Usually, the 'Event Los Reader' privilege is enough to monitor the logon events in Polling Mode (option 'Check Windows Security Event Logs').
  • During FSAE installation and configuration, changes setting on the application will require elevating the privileges to the 'Domain Admins' group.
  • After the installation and configuration on the FSAE, the permissions could be reduced to only 'Event Log Readers'.

About AD user account privileges to FSSO, refer to:

Technical-Tip-Restricting-a-Fortinet-Single-Sign-On-Agent 

• Login to PC FSSOCA with the user fgt_polling and install the 'FSSO_Setup_5.0.0XXX.exe'.

Remember to use the user account with the privileges that the application will be run as a service in Windows.

• On this LAB, the FSAE will collect the logs in 'Polling Mode'. Therefore, the 'Launch DC Agent Install Wizard' is unselected.

• Launch the FSAE application 'Configure Fortinet Single Sign On Agent'.
• The option "Run as administrator" appear since the user belong to the 'Domain Admins'and allow to make changes to the FSAE configuration.
• Only having 'Event Log Readers' will not allow the application configurations changes to the FASE. Therefore, it will be necessary to elevate the privileges with the user account when the application has been launched.

• Select the AD server to poll and collect the user logins.

In the beginning, logons will not be received on the FSAE.

• 'Refresh Now' to update the polling AD.
  • Each time the FASE poll the AD to obtain logons the #Logons Events will increase.
  • Without new logons on the AD, the polling only will be a 'KEEPALIVE'.

• Select 'Show Logon Users' to display the logons collected from the FSAE.

Troubleshooting.

In polling mode, the CA polls port 445 of each DC for user logon information every few seconds and forward it to the FortiGate.

On the AD, it is possible to validate the FSAE connected to the 'Shared Folders' service (SMB) and keep open a file 'eventlog'.

If logons are not received, try enabling 'Audit Account Logon Events' on the AD.

• Open the 'Group Policy Management' Console by running the command 'gpmc.msc' or by GUI.

• Expand the node Domain Controllers, 'Right-click' on the GPO Default Domain Controllers Policy, and select 'Edit'.

• Expand Computer Configuration, and go to the node Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy).

• 'Double-click' on the policy settings 'Audit account logon events', check Success and Failure audit, and select 'OK'.

• Now, update gpo by running the command 'gpupate /force'.