Description
This article describes why FortiGate cannot connect to FSSO Agent on Windows server 2019 and how to resolve the issue.
Scope
FortiGate v7.2.1, FSSO Collector Agent.
Solution
As an example in this article, an External Connector on FortiGate 7.2.1 has been configured using an FSSO Agent on a Windows AD connector.
The configuration was working, but suddenly FSSO communication between FortiGate and FSSO Collector Agent 5.0.0306 has stopped.
FortiGate connects to the Collector Agent by default via port TCP/8000. Verify the Collector Agent is listening on port TCP/8000 in the Windows Firewall.
From FortiGate, double-check to see if the FSSO CA is listening and to additionally verify that it is connected using telnet connection:
Using debug command for verifying FSSO server status, 'waiting for retry' can still be seen as the Connection Status.
For further troubleshooting FSSO CA on Windows server, run the following debug application authd command.
diagnose debug application authd -1
Debug messages will be on for 30 minutes.
photon-kvm12 (root) # diagnose debug enable
photon-kvm12 (root) # authd_timer_run: 2 expired
authd_epoll_work: timeout 5000
authd_timer_run: 1 expired
authd_epoll_work: timeout 990
authd_timer_run: 1 expired
authd_epoll_work: timeout 10000
authd_epoll_work: timeout 10000
Server challenge:
f9 57 20 05 7a 00 6d 50 42 7b a5 48 02 5d cf 37
MD5 response:
d5 08 03 a2 66 f1 ad 2b 0c 9a 6f 9b a5 d1 e9 1c
authd_epoll_work: timeout 9990
_process_auth[FSSO-Collector Agent]: server authentication failed, aborting
disconnect_server_only[FSSO-Collector Agent]: disconnecting
authd_epoll_work: timeout 9990
diag deb disaauthd_timer_run: 1 expired
authd_epoll_work: timeout 9980
authd_epoll_work: timeout 9980
Server challenge:
19 58 fc 28 4b 3a 66 7c 2c 0e 09 62 96 56 76 45
MD5 response:
73 b5 03 1b b8 64 21 c8 82 7e 8d 10 e6 2b c3 99
authd_epoll_work: timeout 9970
_process_auth[FSSO-Collector Agent]: server authentication failed, aborting
disconnect_server_only[FSSO-Collector Agent]: disconnecting
authd_epoll_work: timeout 9960
After trying to re-enter or change the FSSO Agent password that is in use for communication between FortiGate and FSSO Collector Agent, finally communication is established.
Make sure the password is less than 15 characters. The FSSO collector agent can only accept passwords up to 15 characters in length.
The status will then show as 'Connected' and will be possible to verify once again using a debug command.
Identify the user account used to run the Fortinet Single Sign On process service and validate the permissions of the user account, it must belong to Administrators and/or Domain Admins groups:
If it still does not work after confirming that the password is the same on both FortiGate and the Collector agent, try to uninstall and reinstall the Collector agent.
To uninstall the collector agent in Windows, go to Add or Remove programs under System Settings. Find the FSSO Collector agent and uninstall it.
To reinstall the collector agent, refer to Technical Tip: How to install the FSSO Collector Agent.
After it is installed again, configure the FSSO collector agent and try to connect it again to the FortiGate.
The status should then show as 'Connected'.
Related articles:
Technical Tip: General troubleshooting for FSSO.
Technical Tip: Useful FSSO commands.
Technical Tip: How to install the FSSO Collector Agent.
Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO) service account
