| Description |
This article discusses the 'discard Logon' message that can be found when checking Fortinet Single Sign-On (FSSO) logs on the DC Agent.
Note: This article assumes that logging is already enabled on the DC Agent(s). Refer to the following KB article for the steps required to enable this logging if required: Technical Tip: How to enable logging on DC Agent (FSSO DC Agent mode). |
| Scope | FortiGate, FSSO DC Agent. |
| Solution |
Within the DC Agent logs, entries that start with 'Msv1_0SubAuthenticationFilter is called' will be found, followed by an additional time-stamped line entry that states either 'discard Logon' or 'processing Logon'. The following two images show examples of this output:
Example 1: Discard Logon:
Example 2: Processing logon:
The 'processing Logon' message indicates that the DC Agent has received the logon event and is preparing to send it to the FSSO Collector agent. This is the generally expected behavior, as it indicates that the DC Agent is receiving and forwarding user logon events to the Collector Agent. Note that the above message is the first of two-parts involved in logon event forwarding, as it processes the logon event and adds it to a queue. A secondary DC Agent process will take processed events from the queue and transmit them over the network to the Collector Agent.
On the other hand, the 'discard Logon' message indicates that the logon event has been processed by the Domain Controller but is ultimately is being discarded/rejected by the DC Agent. This discard behavior can occur when having toggled on the 'Disable RDP Override' feature on the Collector Agent or when manually adding the 'disable_rdp_override' Registry key to the Domain Controller (i.e. the DC Agent has been configured to reject certain logon types).
For more information on the Disable RDP Override option (including how to enable/disable it and other associated effects of doing so), refer to the following KB article: Technical Tip: FSSO RDP logon override
Additional Notes:
|
