Description
This article describes why FortiGate cannot connect to Active Directory Connector and what is the issue.
Scope
FortiGate v7.2.1
Solution
FortiGate frequently polls DCs to collect user logon events.
That is calling FSSO agentless polling mode.
In agentless polling mode, there is no need to install DC agent or Collector Agent, instead FortiGate polls the DC itself.
The status of our Active Directory connector is 'Disconnected'.
Our DC is using OS Windows Server 2019 Standard.
FortiGate connects to the AD Connector by default via port TCP/445.
From FortiGate, double check using telnet connection to see if the AD connector is listening and to additionally verify that is connected.
If Windows Server is located on different network and there is an IPsec Tunnel /SDWAN towards this server its necessary to specify source IP of the source interface IP reaching this server or the interface itself following the below command:
boson-kvm29 (root) # config user fsso
boson-kvm29 (fsso) # show full
config user fsso
edit "FSSO"
set type default
set server "192.168.10.2"
set port 8000
....
set source-ip 80.70.66.69
set source-ip6 ::
set interface-select-method auto
For further troubleshooting the Active Directory connector on FortiGate, run debug commands.
diag debug reset
diag debug console timestamp enable
diag debug application fssod -1
diag debug app smbcd -1
diag debug enable
smbcd: smbcd_process_request:987 got cmd id: 6
smbcd: smbcd_process_request:1000 got rpc log field.
smbcd: smbcd_process_request:1012 got rpc username: north
smbcd: smbcd_process_request:1018 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1022 got rpc port: 0
smbcd: smbcd_process_request:1028 got rpc logsrc: security
smbcd: smbcd_process_request:1121 got net_addr
smbcd: smbcd_process_request:1006 got rpc server: 10.0.0.100
smbcd: smbcd_process_request:1055 got VFID, 0
smbcd: smbcd_process_request:1194 got rpc eventlog read command
smbcd: rpccli_eventlog_open:202 /code/daemon/smbcd/smbcd_eventlog.c-202: evenglog handle get failed.nt_status:-1073741727. Retry to open pipe with auth.
smbcd: rpccli_eventlog_open:225 /code/daemon/smbcd/smbcd_eventlog.c-225: evenglog handle get failed.nt_status:-1073741727
smbcd: rpc_cmd_eventlog_read:932 open rpc err(10.0.0.100:north:0) from security log!, Please check correct server name, user name, password, port and log source
2022-08-24 23:10:08 [handle_reply:499] wrong format of data status. len 8 <> 4.
Check communication between FortiGate and the DC on TCP port 445.
diag sniffer packet any "host <DC IP> and port 445" 6 0 a
Or over GUI, Network - > Diagnostic - > Packet Capture. Narrow down the TCP/445 communication using filters for interface network port, destination host a,nd port.
After reproducing the issue, let's check the traffic between FortiGate and DC over TCP port 445.
In Wireshark DC is responding to FortiAuthenticator’s request with the error: 'STATUS_PRIVILEGE_NOT_HELD'. The user used for reading and polling event logs, ‘north’, seems that does not have appropriate domain privileges.
The user must have read access to the logs using the built-in AD security group 'Event Log Readers'.
After assigning user ‘north’ to AD security group 'Event Log Readers', FortiGate established communication with DC over Active Directory Connector.
Related article:
Troubleshooting Tip: How to troubleshoot FSSO agentless polling mode issue
