I am about to deploy Agent based FSSO for the first time. I was planning to deploy the Collector Agent and DC Agent on each of the two domain controllers in the domain to be monitored and the TS Agent on one RD Session Host (terminal server). However, I am confused by the following statement on page 541 of the FortiOS Handbook for FortiOS 5.2.
It is best practice to install FSSO agents using the built-in local administrator account.
The problem with this statement is twofold. First, there are no local accounts on a domain controller. So, if it is best practice to install the CA on a domain controller, this statement doesn't make sense. Second, if I install the CA on a member server using a local administrator account, the account will not have domain credentials and will not be able to retrieve information from active directory.
How do I resolve this conundrum?
More questions to follow, I'm sure.
Hello,
Collector is recommended to be run under account who is Domain Admins group member. To get enough rights to run, connect LDAP, make remote registry check on workstations etc. Therefore install under Domain Admins kind of account and you'll be safe with less head scratching.
Kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
If the use of a domain admin account is recommended, I would like to see the documentation updated to reflect that advice.
jossmi wrote:If the use of a domain admin account is recommended, I would like to see the documentation updated to reflect that advice.
Done already.
For example search KB for "fsso admin" and see article FD36039:
"In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with a domain admin account."
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36039
Or see FSSO setup screen where you are entering account username/password for Collector and read above "please input the user account's name and password. This must be and administrator user."
Or see docs.fortinet.com Authentication guide
http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf
"Installing FSSO without using an administrator account
Normally when installing services in Windows, it is best to use the Domain Admin account, as stated earlier. This ensures installation goes smoothly and uninterrupted, and when using the FSSO agent there will be no permissions issues. However, it is possible to install FSSO with a non-admin account in Windows 2003 or 2008 AD."
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
I appreciate the additional references that you provided. However, the reference that I first cited, which appears in both the Authentication Guide and the Handbook, still needs to be changed.
Agent installation
After reading the appropriate sections of "Introduction to agent-based FSSO" on page 118 to determine which FSSO agents you need, you can proceed to perform the necessary installations.
Ensure you have administrative rights on the servers where you are installing FSSO agents. It is best practice to install FSSO agents using the built-in local administrator account. Optionally, you can install FSSO without an admin account. See "Installing FSSO without using an administrator account" on page 129.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.