Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
billp
Contributor

Domain Admin required for FSSO?

I am configuring FSSO on my Active Directory servers, and it appears to require a Domain Admin user for installation and for running the service. Is everyone else also using a Domain Admin user to run the FSSO agent on your DC' s? It seems like a security risk, especially since you also need to open up port 445 or 139 on all workstations to verify login status every 5 minutes. I am looking for any best practices in this area if someone has suggestions. Thanks.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
2 REPLIES 2
Alivo__FTNT
Staff
Staff

Admin credentials are very important for overall FSSO CA operation. Without this account collectoragent.log might not be created, Domain Admin credentials are also mandatory to complete for example workstation checks. If you are running Collectors in polling mode, they are opening security eventlog or calling RPC NetAPI. Both require domain admin privileges.

livo

billp

Thanks. That' s good to know. I created a Domain Admin user that has some basic login restrictions and it appears to be working OK.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Top Kudoed Authors