Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
markdr_FTNT
Staff
Staff

Created on ‎02-09-2010 02:02 PM Edited on ‎02-05-2025 08:00 AM By Moderator

Article Id 195014

Troubleshooting Tip: User status 'Not Verified' on the FSSO Collector Agent

Description

 

This article describes how users might appear in status 'Not Verified' in Collector Agent when viewing logins under 'Show logon users', and how to resolve the error.

 

 
Scope

 

FSSO Collector Agent.


Solution


While the Collector Agent receives login events for users from the DC agents, Windows does not generate log out events.
As such, the collector agent needs to verify periodically if the user is still logged in. Collector Agent does this via WMI by default, and via remote registry in older versions or as fall-back. Collector Agent sends traffic on ports 139, 389 and 445 to this end.

If the collector agent cannot connect for any reason, the host status is set to 'Not Verified' and a log entry will be added to the collector agent debug logs. Users in status 'Not Verified' will be removed based on the Dead Entry timeout defined in Collector Agent; by default this is 8 hours (480 minutes). 

 

The most common causes for status 'Not Verified':

  1. Windows firewall on the targeted workstation does not allow access on port 139 or 445.
  2. A network firewall blocks port 139 and/or 445 between the Collector Agent and targeted workstation
  3. The user's workstation returns an RPC error when a WMI query is performed

 

To verify if WMI operates correctly, and the FSSO service account has the required permissions, some Windows commands may be used manually:

  • Start a command prompt under the service account that the Collector Agent runs under.
  • Use this command:

 

wmic /NODE:<WORKSTATION_HOSTNAME_OR_IP> COMPUTERSYSTEM GET USERNAME

 

  • This should return the user currently logged in on the targeted workstation if WMI queries are allowed and work properly.

Example:

 

Microsoft Windows [Version 10.0.14393]

(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
UserName
OS\boris.pozdena

 

It is also possible to validate all IP addresses assigned to the remote workstation using the below command:
 
wmic /NODE:<WORKSTATION_HOSTNAME_OR_IP> NICCONFIG GET IPADDRESS,SERVICENAME

 

Example:

 

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\admin>wmic /NODE:10.212.0.100 NICCONFIG GET IPADDRESS,SERVICENAME
IPAddress                                         ServiceName
                                                  kdnic
{"10.212.0.100"}                                  netkvm
{"169.254.90.227", "fe80::15db:2dee:7774:5ae3"}   netkvm
{"169.254.237.196", "fe80::9587:3361:5c30:edc4"}  netkvm
{"169.254.50.184", "fe80::104d:8984:167b:32b8"}   netkvm

 

Some common error messages include:

  1. Access is denied:


If the error message 'Access is denied.' shows up, this means that the service account does not have permission to perform WMI queries on the remote workstation. To resolve the error, ensure the service account is a member of 'Administrators' group on the remote workstation.

 

 

Microsoft Windows [Version 10.0.14393]

(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
Node - 10.212.0.100
ERROR:
Description = Access is denied.

C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
UserName
OS\boris.pozdena

 

  1. Server execution failed:

 

If the WMI query execution is slow and ends with error 'Server execution failed', it is likely that WMI service on the remote workstation is not running.
To resolve the problem, ensure that 'Windows Management Instrumentation' service is in running state on the remote workstation.

 

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.


C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
Node - 10.212.0.100
ERROR:
Description = Server execution failed

 

The service can be enabled if necessary:

 

Debbie_FTNT_0-1738770354526.png

 

  1. The RPC server is unavailable:
    RPC Server unavailable: If error message 'The RPC server is unavailable.' shows up, this usually indicates a connectivity problem or problem with the workstation.
    To resolve the issue, ensure that:
    • The FSSO Collector Agent has reachability to the remote workstation.
    • Windows Firewall on user workstation is configured to allow WMI connections or Windows Firewall is completely disabled.
    • The internal segmentation firewall allows TCP connections to the remote workstation on port 135 and 445.
    • Ensure the workstation has sufficient memory available to serve the WMI request.
    • Ensure that the workstation is capable of sending WMI queries to itself. To test the functionality, execute 'WMIC COMPUTERSYSTEM GET USERNAME' on the affected workstation while logged in as administrator.

     

    Microsoft Windows [Version 10.0.14393]

    (c) 2016 Microsoft Corporation. All rights reserved.

    C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
    Node - 10.212.0.100
    ERROR:
    Description = The RPC server is unavailable.

Remote Registry

 

On all currently supported versions of FSSO Collector Agent, this method will be used only when WMI workstation check is disabled under Collector Agent -> Advanced Settings -> General tab -> Workstation Check
If the collector agent cannot connect to the host on ports 139 and 445 to perform this check, the host status is set to 'Not Verified' and a log entry will be added to the collector agent logs.

 

name_ip_match: failed to connect to workstation

or

 wksta_check: failed to connect to workstation:

 

There are a few things that can cause the collector agent not to be able to connect to the user's work station via remote registry. The following are the most common causes:

 

  • Most commonly, a host firewall on the user's workstation prevents remote access on ports 139 and/or 445.  Try opening the ports on the host firewall or disabling it all together.
  • A network firewall is blocking ports 139 and 445 between the collector agent and the user's workstation.
  • If the remote registry service is not running on the user's workstation the collector agent will not be able to connect to the registry remotely. Make sure the remote registry service is running.

 

Screenshot 2024-11-14 0936571.png

 

Screenshot 2024-11-14 1127051.png

 

  • It may also be caused by a Microsoft upgrade issue, as outlined in this Microsoft Article. Using 'Regedit', edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers, set permissions for winreg and allow Local Service with R and W.


If the following error crops up in collector agent logs or when testing the workstation:

 

wksta_check: workstation has no valid ip address

 

Screenshot 2024-11-14 092947.png

 

  • This check was performed using the Remote Registry Service, not WMI (this could happen if workstation verify interval is set to zero on Collector Agent).

  • The targeted workstation was able to reply via Remote Registry, but not WMI.

  • Verify the WMI and OS versions, or consider disabling WMI on the Collector.

    • If using polling mode, switch from WinSecWMI to WinSec.

    • Go to Advanced Settings -> General -> Workstation Check, and uncheck the option 'Use WMI to check user logoff'.

 

Related articles:

Labels:
82549
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.