Description
This article describes advanced troubleshooting and collects information to deliver to Fortinet TAC for a support ticket.
Scope
FortiGate, FSSO.
Solution
| 1) Preparations. |
| 2) Getting information from one issued PC. |
| 3) Validations on Windows AD Server. |
| 4) Validations on FSSO Collector Agent. |
| 5) Communication ports needed. |
| 6) Logon Event ID poller. |
| 7) DNS issues. |
| 8) FortiGate authentication debug. |
1) Preparations.
It is required to identify which Fortinet Single Sign-On Collector Agent (FSSO-CA) server is active (in case of having more than one configured) there are two ways to identify:
- In the FortiGate go to Security Fabric -> External connectors -> FSSO.
Put the mouse over the connector without selecting and wait a few seconds for a descriptive box to appear and it will indicate which is the active server highlighted in bold. (img-01).
- In FSSO-CA, select ' Show service status' Button, and the one that has the FortiGate with the identified serial number will be the active FSSO, if more than one FSSO-CA server is configured, only one will show this information others will be blank in this menu, it is expected behavior, it is possible to restart/stop Fortinet Single sign On process to force change FSSO server. (img-02), Take note of the server.
|
|
| img-01 | img-02 |
| On FSSO-CA and set the log level to Debug, increase the file size to 50 MB and log on events in separate logs. | 
img-03 |
If FSSO-CA is configured to work in DC Agent mode (see img-06), be sure the log is enabled:
Important Note 1.
FSSO-CA can work in agent or polling mode, to known differences. Read this article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Comparison-between-DC-Agent-mode-and-polli...
Keep in mind that to change from polling to agent, FSSO-CA will install the DC_Agent.dll in each selected AD server and will be rebooted.
When 'OK' is selected, the FSSO service will be restarted and the FSSO server may change in FortiGate External Connector.
2) Getting information from one issued PC.
In an issued PC (under Windows domain and not identified by FSSO), open a cmd terminal and run the next commands:
| echo %logonserver% | It provides AD <Server Name> where PC has been authenticated. |
| nslookup <ServerName> | Replace <ServerName> for value in previous command to get IP resolution. |
| hostname | it provide PC's hostname. |
| echo %username% | it provide user account. |
| ipconfig /all | it provide IP and DNS information. |
| whoami /groups | it provide information about user groups. |
3) Validations on Windows AD Server:
- Access to the <ServerName>.
- Open Event Viewer -> Windows Logs -> Security.
- Make sure that the 'Event ID' and 'Task Category' columns are visible, as shown in the img-04.
|
| img-04 |
- Look for the last 'logon event' registered for the user of issued-PC and force a new logon event-id.
The steps to follow are:
- Refresh Logons.
- Find… write username.
- Find Next…
- Find the last login record, and take note of the time and event ID.
|
| img-05 |
- Return to the issued-PC, lock and unlock the computer (Windows Key+L), once unlocked, make sure again that the PC indicates that it is logged in to the same AD server (cmd: echo %logonserver%).
- Again on the AD server, repeat steps A-D to display the new logon event, compare the time and the Event-ID of this new record, Document both records and deliver to the TAC.
Important note 2.
If the AD Server does not register the new logon events, the issue must be reviewed at the Domain level, since it is a problem between the PC and the Domain Server.
4) Validations on FSSO-CA.
In case the new Logon-Event is registered correctly, proceed to open the FSSO-CA on the active server (identified in point 1), document the following configurations, take screenshots and share them with the TAC. (click on each button indicated in red).
|
| img-06 |
|
| img-07 |
|
Identify the user account used to run the Fortinet Single Sign On process service. Take screenshots and share them with the TAC.
|
|
| img-08 |
|
Validate the permissions of the user account, it must belong to Administrators and/or Domain Admins groups:
|
|
| img-09 |
|
On the main screen of the FSSO CA, extract the event logs, and select the 'View Logon Events' button, this will open a text file, save a copy on the desktop and share it with the TAC.
|
|
| img-10 |
|
On the main screen of the FSSO-CA, select the 'Show login user' button and perform the following searches: - Hostname. - IP.
|
|
| img-11 |
Now, it is possible to share all collected information with the Fortinet TAC, here is the checklist:
- Point 2. Commands from the Issued-PC.
- Point 3. Logon event configuration, with the date and time of the affected user in the Event Viewer ->Security.
- Point 4. All the configurations of the FSSO-CA.
- Point 4. A user account with which the FSSO service is executed.
- Point 4. Logon event (logfile saved in desktop)
- Point 4. Groups to which the user account with which the FSSO service is executed belongs.
If the user is an advanced FortiGate administrator, it is possible to continue with troubleshooting as well, based on the information obtained in point 2, there may be different scenarios, carry out the searches and confirm which one corresponds to the user:
- If the user searches by a user and NO results appear, then continue at point 6).
- If the user searches by a user and the hostname or IP is incorrect, then continue at point 7).
- If the user searches by hostname and the IP is incorrect, then continue at point 7).
- If the user searches by hostname and the username are incorrect, then continue at point 7).
- If the user searches by a user and the result returns the correct IP and Hostname, then continue with point 8).
5) Communication ports needed.
Inbound.
UDP/8002 – DC_Agent keepalive and push logon info to Collector Agent.
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL).
TCP/8000 – FortiGate to FSSO Collector Agent connection.
TCP/8000 – NTLM.
Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method).
TCP/445 – Remote access to logon events, Workstation check (remote registry).
TCP/389 – Group lookup using LDAP.
TCP/636 – Group lookup using LDAPS.
TCP/3268 – Group lookup using LDAP with global catalog.
TCP/3269 – Group lookup using LDAPS with global catalog.
UDP/53 – DNS for resolving hostnames of the logon events.
6) Logon Event ID poller. Increase the level to '2' instead of '0' of visibility of LOGS in all the FSSO-CAs, On the main screen of the FSSO-CA.
Select Advanced Settings -> Windows Security Event Logon -> Event IDs to poll.
When 'OK' is selected, the service will be restarted and the FSSO server may change in FortiGate External Connector.
|
| img-12 |
Related article:
Technical Tip: Windows event IDs used by FSSO in WinSec polling
7) DNS issues.
It is necessary that the DNS where the FSSO-CA is installed is correctly updated with respect to the hostnames of all computers, this synchronization must be resolved by the Windows Domain Administrator.
It is also required that the computer equipment is able to dynamically update its IP every time it changes, either due to a network change or a change between Wireless and cable.
Below is an external link that may help resolve this. 'Windows DHCP Clients and DNS Dynamic Update Protocol'.
Configure DNS dynamic updates Windows server 2003
8) FortiGate authentication debug.
Open SSH session to the FortiGate, save all the output, and perform these diagnose commands:
diagnose debug disable
diagnose debug reset
diagnose debug application authd 8256
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug authd fsso server-status <----- Lock and unlock issued PC and wait 2 minutes then stop with.
diagnose debug
diagnose reset
More Useful FSSO commands:
| diagnose debug authd fsso refresh-logons | Request the FSSO-CA to send the active users list to FortiGate. |
| diagnose debug authd fsso clear-logons | Clear login info on FortiGate. Logins will be refreshed in the next polling cycle. |
| diagnose debug authd fsso refresh-groups | Request the FSSO-CA to send the monitored groups list to FortiGate. |
| get user adgrp | List monitored groups. |
| exec fsso refresh | Manually refresh information from the DC (refresh AD and FSSO groups). |
Related articles:
Technical Tip: FSSO choose between DC Agent mode or Polling mode
