Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mikatechs
New Contributor II

FSSO Collector Agent not getting / catching EVERY user logon event.

Dear Community,

We have a problem regarding user authentication with FSSO. Some users are not getting in "Currently logon users" list in FSSO even though when I try to logoff and logon again, even restarting the machine does not help, but when I check Event Viewer on DC the user is successfully logged in / Authenticated. I will describe as detailed as I can:

* We have 2 Domain Controllers (Windows Server 2022 Datacenter)
* We do NOT use Explicit Proxy mode. Our fortigate device is Default gateway for users. 
1. I have set Firewall Inbound Rules on DC's : UDP/8002, TCP/8000-8001 (For Agent communication)

2. I have set Firewall Inbound Rules for Domain Users: UDP/137-138, TCP/445, WMI (For User workstation check and logoff event).

3. I have installed FSSO Collector Agent (Advanced Mode) and DC Agent on both Domain Controllers. (FSSO_Setup_5.0.0308_x64). Used Domain Admin Credentials.
4. HKLM/SOFTWARE/Fortinet/FSAE/DCAgent/ca - shows both DC IP's on both Domain Controllers.
5. "Show Service Status" displays my Fortigate device.

6. "Show Monitored DCs" displays both DCs on both servers.
7. "Set Directory Access Information" is set to Advanced as I have mentioned above.


But still some users won't get in "Logon users list" even if they logoff and logon to their workstations.
Also I have tried to "Clear User Cache" on FSSO Collectors and Users are getting in list very slowly during busy working hours.


If anyone had same experience and have found a solution to this, I would really appreciate a feedback. 

P.S. Is there any way to authenticate user without logging off and log on again? for eg: Authenticate user when user starts a web browser session?

Thanks in Advance

 

 

1 Solution
mikatechs
New Contributor II

I have managed to solve this issue.
Reinstalled FSSO Collectors and DC Agents on both Domain Controllers.
Confirmed that both Domain Controllers had both entries in regedit: HKLM/SOFTWARE/Fortinet/FSAE/DCAgent/ca (IP's Must be specified with separate lines in regedit).
Rebooted Domain Controllers and it started to work. :) 

View solution in original post

4 REPLIES 4
knagaraju
Staff
Staff

Hello,

Could you please try the steps as per the below link and let me know if it works
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...

Regards,
Nagaraju.

mikatechs
New Contributor II

Thank you for your reply. I have not tried it yet, but that would be our last option since it's polling mode. As described in Fortigate Manual, DC Agent Mode is best practice and won't miss any logon event unlike Polling Mode. So I'm still confused why it's not perfectly working in my case. We have 600 Users, I have tested on small number of users (10 Users) and its working normally, but when we try to put it in production around 40% of users are authenticating normally and they can access internet, and 60% get Disclaimer Page, even if they logoff and logon again, they still get Disclaimer Page and can not access Internet.

mikatechs
New Contributor II

I have managed to solve this issue.
Reinstalled FSSO Collectors and DC Agents on both Domain Controllers.
Confirmed that both Domain Controllers had both entries in regedit: HKLM/SOFTWARE/Fortinet/FSAE/DCAgent/ca (IP's Must be specified with separate lines in regedit).
Rebooted Domain Controllers and it started to work. :) 

Niranjan_Sambhoo

Hi @mikatechs - Thank you very much for posting your solution, it has worked for me as well. We were also facing similar issue for user authentication and after removing dead Collector Agent IP's from registry "HKLM/SOFTWARE/Fortinet/FSAE/DCAgent/ca" we can see all user logon events were sent to live collector agent.

 

Regards,

Swapnil Nawale

Top Kudoed Authors