Description
This article describes how Active Directory (AD) Login messages are overwritten by the FSSO Collector Agent (CA) when FortiGate authentication with LDAP and AD FSSO is configured on the Windows AD Server.
With FortiGate FSSO, if a user cannot be authenticated by a Windows Active Directory Domain but can be authenticated by LDAP, a new logon event is sent to the FSSO Collector Agent (CA).
The CA User Monitor will show the:
- Authenticated LDAP user.
- Same user as FSSO.
- IP address of the LDAP server (e.g., 10.5.0.12).
Example:
CA Logon users list before the LDAP authentication event:
CA Logon users list after the LDAP authentication event:
FortiGate User Monitor List after the authentication:
Scope
FortiGate.
Solution
To override the original logon entry in the FSSO CA, the option enable 'DisableRDP Override'in the FSSO CA.
This will avoid capturing the logon event that Windows AD generates when using LDAP authentication.
Note: If no AD user entry exists in the FSSO CA, the AD user account is ignored by the CA, and a new entry will be shown: LDAP user logged on the AD DC Server.
In the FSSO CA: Show Monitored DCs -> Select DC to Monitor and enable 'Disable RDP Override'.
User RDP override feature in Collector Agent GUI on Polling mode: Go to Show Monitored DCs. Select 'DC to Monitor'. In the bottom left corner, select 'Disable RDP override'. For this second option to work, the following prerequisites (a and b) or c must be met (Technical Tip: Windows event IDs used by FSSO in WinSec polling mode:(
- In Advanced settings in Collector Agent, the Event IDs to poll value must be: 1 or 2.
- Working mode is: Check Windows Security Event Logs or Check Windows Security Event Logs using WMI.
- DC Agent sends logins to any Collector Agent.
Note:
An RDP override can be done via Collector Agent if WinSec/WinSec with WMI polling is used, or via the DC Agent (needs extra setup, follow reading).
While it is possible to use DC Agent mode, it should be noted that users will be limited to using RDP via IP address.
The reason for this is that when the user uses RDP via FQDN, the 'Disable RDP Override' option will not work as expected since the DC Agent will be triggered with a logon event that indicates it is Kerberos authentication.
When this happens, the DC Agent can not tell if it is a normal user login or if it is an RDP logon, and the event cannot be dropped.
This would overwrite the original user logon.
When the user uses RDP via IP address, the DC Agent will be triggered with a logon event that indicates it is an NTLM authentication instead, and if 'Disable RDP Override' is checked, the DC Agent will discard this event.
When a user RDPs into the DC server itself, the 'Disable RDP override' option will not work. The workaround is to remove event ID 4624 from polling mode or use an IP address instead of the FQDN of the DC server. This has been resolved in v5.0.322 and above.
Important:
In an Active Directory environment where NTLM is completely disabled, 'Disable RDP Override' will not work under any circumstances.
DCAgent RDP override configuration:
Note that this is windows registry only; this option is not in the DC Agent Configuration Utility (as of 5.0.312 @2024.02).
Under HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent, create a registry value called disable_rdp_override and set its value to 1.
