Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pnobels
New Contributor II

After upgrade to authenticator 6.5.4 issues with some clients

Hi,

 

did the vm upgrade yesterday from 6.4.4 to 6.5.4.  No issues during or after upgrade.

This morning i got reports that some clients simply do not record their fssoma session.  Even after reboot laptop, i can't trace the sso session on the authenticator.  Also authenticating using the portal fails to record the session (they do authenticate correctly though)

For other clients in the same subnet this does actually work...   For those where it fails a test-netconnection [IP] -port 8001 works without any issue...

Default client is 6.4.8.1755

 

Anyone encountered similar issues...?

3 REPLIES 3
pnobels
New Contributor II

Seems there is a bug which is related to the length of the AD group membership or number of groups a user is in.  We'll need to find out which version will not have this bug, or if there is a hotfix...  Until then, snapshot will need to be restored. 

ebilcari

If you think that this is a bug please open a ticket with TAC support to investigate it further, I did a search and didn't find a similar reported issue for 6.5.4.

After the upgrade were you able to collect the debug logs (https://<FAC IP/FQDN>/debug/fsso-agent/) and a packet capture for agent communication with FAC?

How did you isolate the problem being related to AD?

There is a reported issue for upgrades from 6.4.4 related to some FCT not sending client certificate (837697). You can try with this option disabled:

TLS connection.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
pnobels
New Contributor II

Hi, it's been escalated and engineering is currently having a look at this.  I took a look at the logs but unless you use a full agent there's not much debugging in there.  After adding debug to the authenticator link we could see an entry 'cache item status: group string too long'.  As mentioned, only a limited amount of users experienced this issue.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors