Created on
05-12-2025
09:49 AM
Edited on
05-15-2025
06:10 AM
By
Jean-Philippe_P
This article explains an issue where changes to a user’s group membership in Active Directory are not properly reflected for all users affected by the change.
FortiProxy.
If a user’s group membership is changed from one group to another, based on the group cache timeout value (the default is 5 minutes), the FortiProxy should update its user group cache.
However, for example, the changes were made in the group membership of user1 and user2. For example: user1 and user2 were both removed from their original group 'FortiProxyUsers-Production' and added to the group 'FortiProxyUsers-AllUsers'.
As shown below, the user1 group cache is updated, and it shows the new group membership. However, the user2 group cache has not been refreshed, causing the user to still show under 'FortiProxyUsers-Production'.
diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 159
uname=user1@corp.example.com,pwd=no,vd=root ldap=corp.example.com,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Thu Apr 10 14:15:01 2025
user id=1086, refresh_time=Thu Apr 10 14:09:39 2025
user dn=CN=user1,OU=IT,OU=Corp Users,DC=CORP,DC=EXAMPLE,DC=COM
sid:S-0-0 name=CN=FortiProxyUsers-AllUsers,OU=Security Groups,DC=CORP,DC=EXAMPLE,DC=COM
uname=user2@corp.example.com,pwd=no,vd=root ldap=corp.example.com,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Thu Apr 10 13:44:39 2025
user id=1265, refresh_time=Thu Apr 10 13:44:39 2025
user dn=CN=user2,OU=HR,OU=Corp Users,DC=CORP,DC=EXAMPLE,DC=COM
sid:S-0-0 name=CN= FortiProxyUsers-Production,OU=Security Groups,DC=CORP,DC=EXAMPLE,DC=COM
Note: Allow up to 30 minutes for Active Directory to propagate changes across all domain controllers. So, it is recommended to wait for the AD to sync and then check the updated group cache information on the FortiProxy.
If the issue persists, collect the following diagnostic information and open a case with TAC to determine whether it matches known issue ID 1130867 on FortiProxy.
Step 1: Enable diagnostic mode and modify cache timeout settings to 5 minutes.
diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 1900005 <- Changes user cache timeout from 1440 to 5 minutes.
diagnose test application wad 1910005 <- Changes group cache timeout from 1440 to 5 minutes.
Step 2: Verify the timeout settings were properly applied.
diagnose test application wad 170 <- For v7.2.x units.
Or:
diagnose test application wad 181 <- For v7.4.x units.
Step 3: Enable WAD debug logging to capture the authentication process.
Note: It is recommended to run these debugs on an SSH session using Putty and log the session in a text file.
diagnose wad debug enable category auth
diagnose wad debug enable category http
diagnose wad debug enable level verbose
diagnose debug console timestamp enable
diagnose debug enable
Step 5: Log in to the test user machine to create an authentication session.
Step 6: Check and capture the user group cache information for the test user.
diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 159
Step 7: Change the group membership of the test user and de-authenticate the user.
Step 8: Log in to the test user machine to create an authentication session.
Step 9: Wait for at least 5-6 minutes and then check the user group cache information.
diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 159
To stop debugging:
diagnose debug disable
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.