| Description | This article describes an issue where FSSO CA overrides an actual logon event with the Outlook email event when a user has Outlook set up with two email accounts. A solution is offered. |
| Scope | FortiGate. |
| Solution |
If user 'A' logs on to the computer using username: 'A', the FSSO CA will also reflect the same username 'A'. However, when user A adds an email account with username 'B' in Microsoft Outlook on the PC (while logged in with username 'A' on the PC), Windows will generate an event for user username 'B'.
FSSO Collector Agents capture all (user) account logins generated on monitored Domain Controllers, whether in polling mode or DC Agent mode, including service accounts and admin accounts. As a result, FSSO will pull the event for the outlook logon and will override the username for that IP of the PC to username 'B'. FSSO only accounts for one user per IP and the Collector Agent will overwrite an existing login on an IP if another login event on the same IP is observed.
The same information will be sent to the FortiGate which will cause issues while allowing access to the particular users. In such cases, it is possible to exclude user B to prevent login information from being overwritten. Generally, service accounts and some admin accounts need to be excluded to prevent them from overwriting valid user logins when a login event is triggered by a service account or admin. The FSSO Collector Agent provides the ‘Ignore User List’ option for this purpose.
Figure 1:
Figure 2:
Figure 3:
Technical Tip: How and why to use the 'Ignore User List' option in FSSO Collector Agent |
