FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff

Description

 

This article describes why FortiGate cannot connect to Active Directory Connector and what is the issue.

 

Scope

 

FortiGate 7.2.1

 

Solution

 

FortiGate frequently polls DCs to collect user logon events.

That is calling FSSO agentless polling mode.

In agentless polling mode, there is no need to install DC agent or Collector Agent, instead FortiGate polls the DC itself.

 

matanaskovic_0-1661437475843.png

 

The status of our Active Directory connector is 'Disconnected'.

Our DC is using OS Windows Server 2019 Standard.

 

FortiGate connects to the AD Connector by default via port TCP/445.

From FortiGate, double check using telnet connection to see if the AD connector is listening and to additionally verify that is connected.

 

matanaskovic_1-1661437520852.png

 

For further troubleshooting Active Directory connector on FortiGate, run debug commands.

 

# diag debug reset

# diag debug console timestamp enable
# diag debug application fssod -1

# diag debug app smbcd -1

# diag debug enable

 

smbcd: smbcd_process_request:987 got cmd id: 6
smbcd: smbcd_process_request:1000 got rpc log field.
smbcd: smbcd_process_request:1012 got rpc username: north
smbcd: smbcd_process_request:1018 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1022 got rpc port: 0
smbcd: smbcd_process_request:1028 got rpc logsrc: security
smbcd: smbcd_process_request:1121 got net_addr
smbcd: smbcd_process_request:1006 got rpc server: 10.0.0.100
smbcd: smbcd_process_request:1055 got VFID, 0
smbcd: smbcd_process_request:1194 got rpc eventlog read command
smbcd: rpccli_eventlog_open:202 /code/daemon/smbcd/smbcd_eventlog.c-202: evenglog handle get failed.nt_status:-1073741727. Retry to open pipe with auth.

smbcd: rpccli_eventlog_open:225 /code/daemon/smbcd/smbcd_eventlog.c-225: evenglog handle get failed.nt_status:-1073741727
smbcd: rpc_cmd_eventlog_read:932 open rpc err(10.0.0.100:north:0) from security log!, Please check correct server name, user name, password, port and log source
2022-08-24 23:10:08 [handle_reply:499] wrong format of data status. len 8 <> 4.

 

Check communication between FortiGate and the DC on TCP port 445.

 

# diag sniffer packet any "host <DC IP> and port 445" 6 0 a

 

Or over GUI, Network - > Diagnostic - > Packet Capture.  Narrow down the TCP/445 communication using filters for interface network port, destination host and port.

 

matanaskovic_2-1661437601396.png

 

After reproducing the issue, lets check the traffic between FortiGate and DC over TCP port 445.

 

matanaskovic_3-1661437642158.png

 

In Wireshark DC is responding on FortiAuthenticator’s request with error: 'STATUS_PRIVILEGE_NOT_HELD'.

 

User used for reading and polling event logs, ‘north’, seems that does not have appropriate domain privileges.

 

The user must have read access to the logs using the built in AD security group 'Event Log Readers'.

 

matanaskovic_4-1661437694087.png

 

After assigning user ‘north’ to AD security group 'Event Log Readers', FortiGate established communication with DC over Active Directory Connector.

 

matanaskovic_5-1661437725903.png

 

Related KB article:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-p...

Contributors