| Description |
This article illustrates the issue where the connection status to AD is successful, but the AD connector status is down.
The connector settings are configured as below:
It is possible to run debug to check for the error message:
diagnose debug application fssod -1 diag deb en
An error message appears for 'wrong format of data status, len 8 <> 4'.
Although, it is possible to see that the authentication is successful:
 |
| Scope | FortiGate, FSSO Polling mode. |
|
Solution |
The username in FSSO Connector Settings should not include the domain. Once the domain portion was removed from the Connector Settings, the domain was removed:
Turn on the debug to verify if the connection is proceeding accordingly:
Based on the above debug log, it is possible to see that the LOGON info is correctly transmitted. FortiGate GUI is also showing that the connector connectivity is up and successful:
If still seeing the error message: wrong format of data status, len 8 <> 4'
Run a pcap either on the GUI or on CLI:
diagnose sniffer packet any "host <DC IP> and port 445" 6 0 a
Check the PCAP for errors similar to those shown below:
There is a built-in AD group 'Event Log Readers', make sure the user (tadmin here) is a member of the group to have read and polling access on the DC.
If the issue persists, verify if the SAMBA service is running in the DC as it is required for polling mode. If not, follow this document from Microsoft for verification: Detect, enable, and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn |
