Description
This article describes how users might appear in the status 'Not Verified' in Collector Agent when viewing logins under 'Show logon users' and how to resolve the error.
Scope
FSSO Collector Agent.
Solution
While the Collector Agent receives login events for users from the DC agents, Windows does not generate logout events.
As such, the collector agent needs to verify periodically if the user is still logged in.
The Collector Agent does this via WMI by default and via remote registry in older versions or as a fallback. The Collector Agent sends traffic on ports 139, 389, and 445 for these functions.
If the collector agent cannot connect for any reason, the host status is set to 'Not Verified', and a log entry will be added to the collector agent debug logs. Users in status 'Not Verified' will be removed based on the Dead Entry timeout defined in Collector Agent; by defaul,t this is 8 hours (480 minutes).
The most common causes for status 'Not Verified':
- Windows Firewall on the targeted workstation does not allow access on port 139 or 445.
- A network firewall blocks port 139 and/or 445 between the Collector Agent and the targeted workstation.
- The user's workstation returns an RPC error when a WMI query is performed.
To verify if WMI operates correctly and the FSSO service account has the required permissions, some Windows commands may be used manually:
- Start a command prompt under the service account that the Collector Agent runs under.
- Use this command:
wmic /NODE:<WORKSTATION_HOSTNAME_OR_IP> COMPUTERSYSTEM GET USERNAME
- This should return the user currently logged in on the targeted workstation if WMI queries are allowed and work properly.
Identify the FSSO Service Account Name:
Determine which user account is configured for the Fortinet Single Sign-On (FSSO) Collector Agent service. This can be done by running either of the following CMD commands on the Collector Agent:
sc qc Fortinet_FSAEwmic service where 'name like "Fortinet_FSAE"' get name,startname,DisplayName
The output will show the STARTNAME, which is the service account used by the FSSO Collector Agent service.
Use the 'Runas' Command to test WMI queries as the FSSO Service Account:
The Windows runas command allows a Windows user to launch programs under a different user with the appropriate credentials.
Open a normal Command Prompt (cmd.exe).
runas /user:DOMAIN\USERNAME cmd.exe
Replace DOMAIN\USERNAME with the actual domain and username of the FSSO service account. This will prompt for the account’s password.
Note:
Depending on the permissions setup, it may be necessary to launch an elevated (administrator) Command Prompt first to enable the runas command.
Alternative: PowerShell can also be used to verify the FSSO service account permissions:
runas /user:DOMAIN\USERNAME "powershell.exe"Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME
UserName
OS\boris.pozdena
It is also possible to validate all IP addresses assigned to the remote workstation using the command below:
wmic /NODE:<WORKSTATION_HOSTNAME_OR_IP> NICCONFIG GET IPADDRESS,SERVICENAME
Example:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\admin>wmic /NODE:10.212.0.100 NICCONFIG GET IPADDRESS,SERVICENAME
IPAddress ServiceName
kdnic
{"10.212.0.100"} netkvm
{"169.254.90.227", "fe80::15db:2dee:7774:5ae3"} netkvm
{"169.254.237.196", "fe80::9587:3361:5c30:edc4"} netkvm
{"169.254.50.184", "fe80::104d:8984:167b:32b8"} netkvm
Common Error Messages:
- Access is denied: If the error message 'Access is denied' shows up, this means that the service account does not have permission to perform WMI queries on the remote workstation. To resolve the error, ensure the service account is a member of the 'Administrators' group on the remote workstation.
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME Node - 10.212.0.100 ERROR: Description = Access is denied. C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME UserName OS\boris.pozdena - Server execution failed: If the WMI query execution is slow and ends with the error 'Server execution failed', the WMI service on the remote workstation is not running.
To resolve the problem, ensure that the 'Windows Management Instrumentation' service is in a running state on the remote workstation.
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME Node - 10.212.0.100 ERROR: Description = Server execution failed -
The service can be enabled if necessary: Setting up a Remote WMI Connection:
- The RPC server is unavailable:
RPC Server unavailable: If the error message 'The RPC server is unavailable.' shows up, this usually indicates a connectivity problem or a problem with the workstation.
To resolve the issue, ensure that:- The FSSO Collector Agent has reachability to the remote workstation.
- Windows Firewall on the user workstation is configured to allow WMI connections, or Windows Firewall is completely disabled.
- The internal segmentation firewall allows TCP connections to the remote workstation on ports 135 and 445.
- Ensure the workstation has sufficient memory available to serve the WMI request.
- Ensure that the workstation is capable of sending WMI queries to itself. To test the functionality, execute 'WMIC COMPUTERSYSTEM GET USERNAME' on the affected workstation while logged in as administrator.
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\admin>wmic /NODE:10.212.0.100 COMPUTERSYSTEM GET USERNAME Node - 10.212.0.100 ERROR: Description = The RPC server is unavailable.
Remote Registry:
On all currently supported versions of FSSO Collector Agent, this method will be used only when the WMI workstation check is disabled under Collector Agent -> Advanced Settings -> General tab -> Workstation Check.
If the collector agent cannot connect to the host on ports 139 and 445 to perform this check, the host status is set to 'Not Verified' and a log entry will be added to the collector agent logs.
name_ip_match: failed to connect to workstation
or
wksta_check: failed to connect to workstation:
There are a few things that can cause the collector agent not to be able to connect to the user's workstation via remote registry. The following are the most common causes:
- Most commonly, a host firewall on the user's workstation prevents remote access on ports 139 and/or 445. Try opening the ports on the host firewall or disabling it altogether.
- A network firewall is blocking ports 139 and 445 between the collector agent and the user's workstation.
- If the remote registry service is not running on the user's workstation, the collector agent will not be able to connect to the registry remotely. Make sure the remote registry service is running.
- It may also be caused by a Microsoft upgrade issue, as outlined in this Microsoft Article. Using 'Regedit', edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers, set permissions for winreg and allow Local Service with R and W.
If the following error crops up in collector agent logs or when testing the workstation:
wksta_check: workstation has no valid ip address
-
This check was performed using the Remote Registry Service, not WMI (this could happen if the workstation verify interval is set to zero on the Collector Agent).
-
The targeted workstation was able to reply via Remote Registry, but not WMI.
-
Verify the WMI and OS versions, or consider disabling WMI on the Collector.
-
If using polling mode, switch from WinSecWMI to WinSec.
-
Go to Advanced Settings -> General -> Workstation Check, and uncheck the option 'Use WMI to check user logoff.'
-
Related articles:
