Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FSSO Authentication Issue-Same Credentials, Differ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO Authentication Issue-Same Credentials, Different IP
FSSO Authentication Issue: Same Credentials, Different IP – No Access
We’ve identified an issue with Fortinet Single Sign-On (FSSO) where users are unable to authenticate when connecting from a different IP address using the same username and password.
Problem Overview: When a user logs in from one IP address, FSSO successfully authenticates and grants access. However, if the same user attempts to connect from a different IP (e.g., switching networks or subnet), authentication fails—even though the credentials remain unchanged.
Possible Cause: FSSO relies on IP-to-user mapping via polling agents or DC agents. If the IP address changes and the new IP isn’t mapped to the user in the collector agent’s cache, the firewall cannot verify the user identity, resulting in failed authentication.
Suggested Additional Steps:
1) Force logoff from AD to trigger a fresh login event.
2) Restart the FSSO Collector Agent service to refresh mappings.
3) Ensure all domain controllers are properly polled by the collector agent.
Work Around:
Option 1:
Manually clear the user’s session entry from the FSSO Collector Agent or polling source (e.g., DC Agent), and remove any stale AD session records. This will trigger a fresh authentication and update the IP-user mapping.
Option 2:
Flush the DNS cache on the user’s device and perform a Windows logout/login or reconnecting to the network. This process helps clear any stale network records from the system and initiates a fresh authentication cycle, which can assist in resolving FSSO-related login issues.
Din
Din
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Majority of polling sources (event logs, DC Agent) provide a hostname, which the Collector will always try to resolve to get the user's current IP, so the first step towards a functional user that just moved to a different IP is to ensure that DNS records are up to date, and update fast.
The refresh can then be triggered by two events:
- "IP address change verify interface" aka DNS check. By default started every 60 seconds. If the FSSO has the hostname of the PC, it will use DNS to keep the IP updated.
- New logon event: If the user generates a new logon event, the Collector will go through the whole process of processing a logon even, which includes resolving the hostname via DNS.
As you can see from this, FSSO is critically dependent on correct and fresh DNS records. If for any reason DNS cannot be "trusted", there's not many alternatives left. The best one is probably FSSOMA (clients actively reach out to the FAC Collector to report their current IP and user), but that requires FortiAuthenticator + special FSSOMA license + FortiClients installed on endpoints. (they can be the free version nowadays, but of course they will be easier to handle if managed by FortiClient EMS).
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As part of this new procurement, it is important to highlight that the customer has no intention to purchase additional products, such as FortiAuthenticator or FSSOMA licensing, solely for the purpose of enabling Fortinet Single Sign-On (FSSO). This requirement imposes a limitation on the solution architecture, and must be carefully considered during the planning and recommendation phases.
While Fortinet’s FSSO offers a native integration with Windows AD environments and is a widely adopted solution, its heavy dependence on accurate and timely DNS resolution introduces potential reliability challenges—particularly in dynamic network environments. The Collector’s reliance on hostnames (from event logs or DC Agents) and subsequent DNS lookups means that any delay or inaccuracy in DNS updates can result in incorrect user-IP mappings, thereby impacting security policy enforcement.
Fortinet does offer FSSOMA as an enhancement to mitigate this issue. However, deploying FSSOMA requires:
- A FortiAuthenticator appliance or VM,
- A separate FSSOMA license, and
- FortiClient installed on all endpoints.
This approach introduces both additional cost and infrastructure complexity, which is not aligned with the customer’s procurement objectives.
It is also important to acknowledge that there are several alternative SSO solutions in the market that:
- Deliver accurate user identification without relying on DNS,
- Do not require additional licensing or infrastructure, and
- Offer simpler integration with modern identity platforms such as Azure AD, Okta, or Google Workspace.
Given the customer’s requirements—namely, avoiding extra product purchases and reducing integration overhead—it is advisable to explore alternative SSO implementations that can provide reliable and cost-effective user identification without the limitations observed in FSSO's default configuration.
We appreciate your understanding and look forward to a recommendation that meets the customer’s operational and financial expectations.
Din
Din
Labels
-
FortiGate
10,510 -
FortiClient
2,135 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
674 -
5.4
638 -
FortiSwitch
578 -
FortiAP
558 -
FortiClient EMS
551 -
6.0
416 -
IPsec
411 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2549 | |
| 1356 | |
| 795 | |
| 646 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.