- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FSSO polling mode - can’t see user logins
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO polling mode - can’t see user logins
Hi,
We have a situation where we have setup ldap correctly and able to browse user directory, all groups etc showing as expected.
Problem we have seen is any users logged in- not seeing by the firewall.
There are no antivirus/firewall port blocks on the AD server, and an adminaccount used for polling.
Firewall debug showing sent login info packet 1 and no login info received packets
This is a 300e firewall in vdom mode- unfortunately running 5.2.10 which we cant upgrade just on the sly as it does have other live customers and fortinet tac not helping as its out dated version.
Wondering if anyone else come across this before and share some pointers?
We think its an issue on AD server but not wnough substance to prove it back to the end user.
Thanks.
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The answer is probably here:
got rpc eventlog read command smbcd: rpccli_eventlog_open:121 /Chroot_Build/19/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-121: connect err(NT_STATUS_NOT_SUPPORTED) smbcd: rpc_cmd_eventlog_read:919 open rpc err(10.0.3.2:administrator:0) from security log!, Please check correct server name, user name, password, port and log source
Often, the issue is that the user used in the fsso configuration does not have sufficient rights to read event log. Fastest check would be to use domain admin with correct password.
Best Regards,
Alivo
livo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SW INFO: -Windows Server 2008R2
STATUS: working.
I am login as domain administrator and these need to be changed on GPO
DC1 type gpmc on cmd right click Edit on Forest: domain.com/Domains/domain.com/Default Domain Policy click Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Logon
Change these to Success Audit Credential Validation Audit Kerberos Authentication Service Audit Kerberos Service Ticket Operations
http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I face same problem
My FG version is 6.0.9,
My goal is to built firewall policy and use policy with user instead of ip address'
I configured ldap server (user with admin privilege's)
I configured fabric connector (poll active directory), I can see all users, groups from AD but the connector status is down
I tried to debug with following commands:
diagnose debug application fssod -1:- [handle_reply:489] wrong format of data status. len 8 <> 4.
diagnose debug application smbcd -1
- smbcd: smbcd_process_request:947 got cmd id: 6
smbcd: smbcd_process_request:960 got rpc log field.
smbcd: smbcd_process_request:972 got rpc username: <user>@staff.technion.ac.il
smbcd: smbcd_process_request:978 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:982 got rpc port: 0
smbcd: smbcd_process_request:988 got rpc logsrc: security
smbcd: smbcd_process_request:966 got rpc server: x.68.25.x
smbcd: smbcd_process_request:1015 got VFID, 0
smbcd: smbcd_process_request:1105 got rpc eventlog read command
smbcd: rpccli_eventlog_open:144 /Chroot_Build/12/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_smb4eventlog.h-144: evenglog handle get failed.
smbcd: rpc_cmd_eventlog_read:900 open rpc err(x.68.25.x:<user>@staff.technion.ac.il:0) from security log!, Please check correct server name, user name, password, port and log source
My system guy check in AD server and RPC is running
He also checked this:
Default credential validation success
Audit kerberos authentication success
Audit kerberos service ticket operations success
Audit other account logon events success
Any idea or help will be welcomed
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Rafi,
two things you can check:
- sometimes, there can be issues if the user for polling is configured as 'domain\user' or 'user@domain'; try just username
- there was a change in how Microsoft allows access to security event log API last summer, breaking FSSO polling mode a bit; this is fixed in firmware version 6.2.10, 6.4.7 and 7.0.2
-> if your domain controllers are properly patched, you may be affected by this
-> upgrade FortiGate to 6.2.10, or get a Collector Agent instead to do the polling (Collector Agent is not affected as long as all domain controllers are patched) and have FortiGate connect to the Collector Agent instead.
This is fixed under bug ID 725056, if you want to check FortiGate release notes
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks you very much for your answer,
I tried any combination with the user name but unfortunately did not work,
So my Options are work with agent or upgrade version
Thanks again
Regards
Rafi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, in that case, your options are to upgrade the FortiGate or set up collector agent to handle polling instead.
Glad I was able to assist a little :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much
Regards
Rafi
- « Previous
-
- 1
- 2
- Next »
Related Posts
- FortiClient Azure SSO VPN issues 60 Views
- Separate authentication and authorization 199 Views
- SSLVPN user can change password for... 444 Views
- Securing GUI login for the ADMIN... 263 Views
- FSSO Windows NPS 342 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.