Created on 12-25-2022 10:20 PM Edited on 04-23-2024 12:40 PM
This article describes advanced troubleshooting and collects information to deliver to Fortinet TAC for a support ticket.
FortiGate, FSSO.
Solution
Flow Chart |
1. Preparations. |
2. Getting information from one issued PC. |
3 Validations on Windows AD Server. |
4. Validations on FSSO Collector Agent. |
5. Communication ports needed. |
6. Logon Event ID poller. |
7. DNS issues. |
8. FortiGate authentication debug. |
Flow Chart
Use this flow chart as troubleshooting guide, HTML file with high resolution is attached at the end of this article, it can be opened in a new browser tab for better experience.
Some charts have an specific number (1) described in this article, or reference to other Fortinet Community Link (A).
It is required to identify which Fortinet Single Sign-On Collector Agent (FSSO-CA) server is active (in case of having more than one configured) there are two ways to identify:
|
|
img-01 | img-02 |
On FSSO-CA and set the log level to Debug, increase the file size to 50 MB and log on events in separate logs. |
img-03 |
If FSSO-CA is configured to work in DC Agent mode (see img-06), be sure the log is enabled:
Important Note 1.
FSSO-CA can work in agent or polling mode, to known differences. Read this article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Comparison-between-DC-Agent-mode-and-polli...
Keep in mind that to change from polling to agent, FSSO-CA will install the DC_Agent.dll in each selected AD server and will be rebooted.
When 'OK' is selected, the FSSO service will be restarted and the FSSO server may change in FortiGate External Connector.
In an issued PC (under Windows domain and not identified by FSSO), open a cmd terminal and run the next commands:
echo %logonserver% | It provides AD <Server Name> where PC has been authenticated. |
nslookup <ServerName> | Replace <ServerName> for value in previous command to get IP resolution. |
hostname | it provide PC's hostname. |
echo %username% | it provide user account. |
ipconfig /all | it provide IP and DNS information. |
whoami /groups | it provide information about user groups. |
|
img-04 |
The steps to follow are:
|
img-05 |
Important note 2.
If the AD Server does not register the new logon events, the issue must be reviewed at the Domain level, since it is a problem between the PC and the Domain Server.
In case the new Logon-Event is registered correctly, proceed to open the FSSO-CA on the active server (identified in point 1), document the following configurations, take screenshots and share them with the TAC. (click on each button indicated in red).
|
img-06 |
|
img-07 |
Identify the user account used to run the Fortinet Single Sign On process service. Take screenshots and share them with the TAC.
|
|
img-08 |
Validate the permissions of the user account, it must belong to Administrators and/or Domain Admins groups:
|
|
img-09 |
On the main screen of the FSSO CA, extract the event logs, and select the 'View Logon Events' button, this will open a text file, save a copy on the desktop and share it with the TAC.
|
|
img-10 |
On the main screen of the FSSO-CA, select the 'Show login user' button and perform the following searches: - Hostname. - IP.
|
|
img-11 |
Now, it is possible to share all collected information with the Fortinet TAC, here is the checklist:
- Point 2. Commands from the Issued-PC.
- Point 3. Logon event configuration, with the date and time of the affected user in the Event Viewer ->Security.
- Point 4. All the configurations of the FSSO-CA.
- Point 4. A user account with which the FSSO service is executed.
- Point 4. Logon event (logfile saved in desktop)
- Point 4. Groups to which the user account with which the FSSO service is executed belongs.
If the user is an advanced FortiGate administrator, it is possible to continue with troubleshooting as well, based on the information obtained in point 2, there may be different scenarios, carry out the searches and confirm which one corresponds to the user:
- If the user searches by a user and NO results appear, then continue at point 6).
- If the user searches by a user and the hostname or IP is incorrect, then continue at point 7).
- If the user searches by hostname and the IP is incorrect, then continue at point 7).
- If the user searches by hostname and the username are incorrect, then continue at point 7).
- If the user searches by a user and the result returns the correct IP and Hostname, then continue with point 8).
Inbound.
UDP/8002 – DC_Agent keepalive and push logon info to Collector Agent.
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL).
TCP/8000 – FortiGate to FSSO Collector Agent connection.
TCP/8000 – NTLM.
Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method).
TCP/445 – Remote access to logon events, Workstation check (remote registry).
TCP/389 – Group lookup using LDAP.
TCP/636 – Group lookup using LDAPS.
TCP/3268 – Group lookup using LDAP with global catalog.
TCP/3269 – Group lookup using LDAPS with global catalog.
UDP/53 – DNS for resolving hostnames of the logon events.
Select Advanced Settings -> Windows Security Event Logon -> Event IDs to poll.
When 'OK' is selected, the service will be restarted and the FSSO server may change in FortiGate External Connector.
|
img-12 |
Related article:
Technical Tip: Windows event IDs used by FSSO in WinSec polling
It is necessary that the DNS where the FSSO-CA is installed is correctly updated with respect to the hostnames of all computers, this synchronization must be resolved by the Windows Domain Administrator.
It is also required that the computer equipment is able to dynamically update its IP every time it changes, either due to a network change or a change between Wireless and cable.
Below is an external link that may help resolve this. 'Windows DHCP Clients and DNS Dynamic Update Protocol'.
Configure DNS dynamic updates Windows server 2003
Open SSH session to the FortiGate, save all the output, and perform these diagnose commands:
diagnose debug disable
diagnose debug reset
diagnose debug application authd 8256
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug authd fsso server-status <----- Lock and unlock issued PC and wait 2 minutes then stop with.
diagnose debug
diagnose reset
More Useful FSSO commands:
diagnose debug authd fsso refresh-logons | Request the FSSO-CA to send the active users list to FortiGate. |
diagnose debug authd fsso clear-logons | Clear login info on FortiGate. Logins will be refreshed in the next polling cycle. |
diagnose debug authd fsso refresh-groups | Request the FSSO-CA to send the monitored groups list to FortiGate. |
get user adgrp | List monitored groups. |
exec fsso refresh | Manually refresh information from the DC (refresh AD and FSSO groups). |
Related articles:
Technical Tip: FSSO choose between DC Agent mode or Polling mode
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.