Description
This article describes why FortiGate cannot connect to Active Directory Connector and what is the issue.
Scope
FortiGate v7.2.1.
Solution
FortiGate frequently polls DCs to collect user logon events. That is calling FSSO agentless polling mode. In agentless polling mode, there is no need to install the DC agent or Collector Agent; instead, FortiGate polls the DC itself.
The status of our Active Directory connector is 'Disconnected'. Our DC is using OS Windows Server 2019 Standard.
FortiGate connects to the AD Connector by default via TCP port/445. From FortiGate, double-check using a telnet connection to see if the AD connector is listening and to additionally verify that is connected.
If Windows Server is located on a different network and there is an IPsec Tunnel /SDWAN towards this server its necessary to specify source IP of the source interface IP reaching this server or the interface itself, following the below command:
boson-kvm29 (root) # config user fsso
boson-kvm29 (fsso) # show full
config user fsso
edit "FSSO"
set type default
set server "192.168.10.2"
set port 8000
....
set source-ip 80.70.66.69
set source-ip6 ::
set interface-select-method auto
For further troubleshooting of the Active Directory connector on FortiGate, run debug commands.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fssod -1
diagnose debug app smbcd -1
diagnose debug enable
smbcd: smbcd_process_request:987 got cmd id: 6
smbcd: smbcd_process_request:1000 got rpc log field.
smbcd: smbcd_process_request:1012 got rpc username: north
smbcd: smbcd_process_request:1018 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1022 got rpc port: 0
smbcd: smbcd_process_request:1028 got rpc logsrc: security
smbcd: smbcd_process_request:1121 got net_addr
smbcd: smbcd_process_request:1006 got rpc server: 10.0.0.100
smbcd: smbcd_process_request:1055 got VFID, 0
smbcd: smbcd_process_request:1194 got rpc eventlog read command
smbcd: rpccli_eventlog_open:202 /code/daemon/smbcd/smbcd_eventlog.c-202: evenglog handle get failed.nt_status:-1073741727. Retry to open pipe with auth.
smbcd: rpccli_eventlog_open:225 /code/daemon/smbcd/smbcd_eventlog.c-225: evenglog handle get failed.nt_status:-1073741727
smbcd: rpc_cmd_eventlog_read:932 open rpc err(10.0.0.100:north:0) from security log!, Please check correct server name, user name, password, port and log source
2022-08-24 23:10:08 [handle_reply:499] wrong format of data status. len 8 <> 4.
Check communication between FortiGate and the DC on TCP port 445.
diagnose sniffer packet any "host <DC IP> and port 445" 6 0 a
Or over GUI, Network -> Diagnostic -> Packet Capture. Narrow down the TCP/445 communication using filters for interface network port, destination host and port.
After reproducing the issue, let's check the traffic between FortiGate and DC over TCP port 445.
In Wireshark, DC is responding to FortiGate’s request with the error: 'STATUS_PRIVILEGE_NOT_HELD'. The user used for reading and polling event logs, ‘north’, seems that does not to have appropriate domain privileges.
The user must have read access to the logs using the built-in AD security group 'Event Log Readers'.
To add a user to the 'Event Log Readers' group in Active Directory, open Active Directory Users and Computers, navigate to the specific user account, right-click the user, select 'Add to a group', type 'Event Log Readers', select 'Check Names', and then select 'OK' to confirm.
After assigning the user ‘north’ to the AD security group 'Event Log Readers', FortiGate established communication with the DC over the the Active Directory Connector.
Note:
If the issue persists, verify if the SAMBA service is running in the DC, as it is required for polling mode. If not, follow this document from Microsoft for verification: Detect, enable, and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn
Related articles:
Troubleshooting Tip: How to troubleshoot FSSO agentless polling mode issue
Technical Tip: FSSO polling connector agent configuration and troubleshooting steps
