Description
This article describes why FortiGate cannot connect to Active Directory Connector and what is the issue.
Scope
FortiGate 7.2.1
Solution
FortiGate frequently polls DCs to collect user logon events.
That is calling FSSO agentless polling mode.
In agentless polling mode, there is no need to install DC agent or Collector Agent, instead FortiGate polls the DC itself.
The status of our Active Directory connector is 'Disconnected'.
Our DC is using OS Windows Server 2019 Standard.
FortiGate connects to the AD Connector by default via port TCP/445.
From FortiGate, double check using telnet connection to see if the AD connector is listening and to additionally verify that is connected.
For further troubleshooting Active Directory connector on FortiGate, run debug commands.
# diag debug reset
# diag debug console timestamp enable
# diag debug application fssod -1
# diag debug app smbcd -1
# diag debug enable
smbcd: smbcd_process_request:987 got cmd id: 6
smbcd: smbcd_process_request:1000 got rpc log field.
smbcd: smbcd_process_request:1012 got rpc username: north
smbcd: smbcd_process_request:1018 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1022 got rpc port: 0
smbcd: smbcd_process_request:1028 got rpc logsrc: security
smbcd: smbcd_process_request:1121 got net_addr
smbcd: smbcd_process_request:1006 got rpc server: 10.0.0.100
smbcd: smbcd_process_request:1055 got VFID, 0
smbcd: smbcd_process_request:1194 got rpc eventlog read command
smbcd: rpccli_eventlog_open:202 /code/daemon/smbcd/smbcd_eventlog.c-202: evenglog handle get failed.nt_status:-1073741727. Retry to open pipe with auth.
smbcd: rpccli_eventlog_open:225 /code/daemon/smbcd/smbcd_eventlog.c-225: evenglog handle get failed.nt_status:-1073741727
smbcd: rpc_cmd_eventlog_read:932 open rpc err(10.0.0.100:north:0) from security log!, Please check correct server name, user name, password, port and log source
2022-08-24 23:10:08 [handle_reply:499] wrong format of data status. len 8 <> 4.
Check communication between FortiGate and the DC on TCP port 445.
# diag sniffer packet any "host <DC IP> and port 445" 6 0 a
Or over GUI, Network - > Diagnostic - > Packet Capture. Narrow down the TCP/445 communication using filters for interface network port, destination host and port.
After reproducing the issue, lets check the traffic between FortiGate and DC over TCP port 445.
In Wireshark DC is responding on FortiAuthenticator’s request with error: 'STATUS_PRIVILEGE_NOT_HELD'.
User used for reading and polling event logs, ‘north’, seems that does not have appropriate domain privileges.
The user must have read access to the logs using the built in AD security group 'Event Log Readers'.
After assigning user ‘north’ to AD security group 'Event Log Readers', FortiGate established communication with DC over Active Directory Connector.
Related KB article:
