Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ykonstantakopoulos
New Contributor III

FSSO-Polling (v.5.2.3) and windows 2012 R2 issue

Hello forum,

 

We are using a fortigate 100D (v5.2.3,build670 (GA)) and try to configure FSSO-polling to a windows 2012 R2 AD.

 

we have configured LDAP (it works fine) and connection status is succesful. We are able to see all LDAP tree and LDAP authentication is working fine. We are using LDAP groups (for SSL VPN access).

 

But problem comes when we try to create the FSSO server.

using "diag debug fsso-polling detail" we get:

 

AD Server Status: port=auto username=administrator read log offset=0, latest logon timestamp: Thu Jan 1 03:00:00 1970

polling frequency: every 10 second(s) success(0), fail(1069) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 most recent connection status: err: server can not be accessible

 

- We have tried with AD server firewall disabled and the user we are using is actually the built-in administrator account.

- We tried to configure FSSO-polling with also another AD (2003) and it is working fine.

 

Does anyone came across this problem with windows 2012 R2 before? 

 

Thanks for any suggestions in advance,

 

Yiannis

 

 

 

13 REPLIES 13
siomyn
New Contributor III

Hi Yianis,

Do you use Win Server 2012 R2 enterprise edition?

OMYN

Technical Consultant | Indonesia CCNP Security, Fortinet NSE 

OMYN Technical Consultant | Indonesia CCNP Security, Fortinet NSE
ykonstantakopoulos
New Contributor III

Hi Siomyn,

 

Thanks for the response!

It is standard edition.

siomyn

Some peoples already discuss about this, they say "Windows server 2012 is not officially supported with FortiOS yet. The account specified in FSSO configuration must be member of domain administrators. FSSO look for the log on and off events (4768, 4769 and 4776) from the DCs, these logs are not enalbled by default on Windows server 2012. Please make sure these logs are enabled in the windows server."

source : https://www.linkedin.com/grp/post/1769457-229334710 

 

But maybe you can makesure to the TAC about this case ...

OMYN

Technical Consultant | Indonesia CCNP Security, Fortinet NSE 

OMYN Technical Consultant | Indonesia CCNP Security, Fortinet NSE
Carl_Wallmark
Valued Contributor

Another thing you can check,

 

Is the Windows Server 2012 directly connected to the firewall or is there L3 network in between ?

 

If it is, you might need to set the "source-ip" in CLI under the FSSO polling configuration.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ykonstantakopoulos
New Contributor III

Hi selective,

 

It is directly connected (just one lan).

 

Anyways thanks for your response!

Elthon_Abreu
Contributor

Hi everyone,

 

On my FGT the command [style="background-color: #c0c0c0;"]#diag deb[/style][style="background-color: #c0c0c0;"]ug fsso[/style][style="background-color: #c0c0c0;"]-polling[style="line-height: 25.2000007629395px;"] detail[/style][/style] returns "fsso daemon is not running". My FortiOS is 5.2.3. I don't know why.

 

[style="background-color: #c0c0c0;"]#diag deb[/style]ug fsso-polling[style="background-color: #c0c0c0;"] detail [/style]

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
Ralf_Lauerwald
New Contributor

We have the same problem.

The only thing which helps so far on the 2012R2 is to give the Fortinet Service Account User Domain Admin rights, then it works but we are searching for a other solution

jekateryna

hello dear,

 

have problems and questions with FSSO.

 

I use Windows Server 2003 as LDAP server and 5 fortigates (30D, 60D, 90D and 92D) witch connected one with other from dedicated line or VPN. In main office and one secondary is LDAP servers and 3 others secondary offices no.

 

actually we have this scheme

                                Office B (FG60D)

                                    | VPN

office C  ---------------- Office A ----------------- Office D

(FG30D)          VPN        (FG92D)        vpn           (FG 30D)

                                     L1, L2

                                    | dedicated line

                                   Office D (FG90D)

                                     L3

 

L1, L2, L3 - Ldap servers

 

I want to use in all offices FSSO. LDAP Servers working fine in all offices

 

FG60D# sh user ldap config user ldap     edit "L1"         set server "192.168.x.y"         set source-ip 192.168.z.z         set cnid "samAccountName"         set dn "DC=yyy,DC=xxx,DC=com"         set type regular         set username "CN=admin,CN=Users,DC=yyy,DC=xxx,DC=com"         set password-expiry-warning enable         set password-renewal enable     next end

 

In offices without local LDAP server we are using source-ip option.

 

Now I trying to setup FSSO in Office B and A.

 

In office B

FG60D # sh user fsso-polling config user fsso-polling     edit 1         set server "192.168.x.y"         set user "admin"         set password ENC         set ldap-server "L1"             config adgrp                 edit "CN=ITTest,OU=IT,OU=Managed Groups,DC=yyy,DC=xxx,DC=com"                 next             end     next end

FG60D # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.x.y),ip=192.168.x.y,source(security),users(0) port=auto username=admin read log offset=0, latest logon timestamp: Thu Jan  1 02:00:00 1970 polling frequency: every 10 second(s) success(0), fail(11740) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 most recent connection status: err: server can not be accessible Group Filter: CN=ITTest,OU=IT,OU=Managed Groups,DC=yyy,DC=zzz,DC=com

 

I understand that I miss option source-id for fsso, but can't find where need to used it.

 

Office A.

 

Viskalu21-FG # sh user fsso-polling config user fsso-polling     edit 1         set server "192.168.x.y"         set user "admin"         set password ENC         set ldap-server "L1"             config adgrp                 edit "CN=ITTest,OU=IT,OU=Managed Groups,DC=xxx,DC=yyy,DC=com"                 next                 edit "CN=Internet,OU=Managed Groups,DC=xxx,DC=yyy,DC=com"                 next                 edit "CN=InternetInbox,OU=Managed Groups,DC=xxx,DC=yyy,DC=com"                 next                 edit "CN=InternetInboxFiles,OU=Managed Groups,DC=xxx,DC=yyy,DC=com"                 next                 edit "CN=InternetUL,OU=Managed Groups,DC=xxx,DC=yyy,DC=com"                 next             end     next end

FG92D # diag debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----

FG92D # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.x.y),ip=192.168.x.y,source(security),users(0) port=auto username=admin read log offset=593486335, latest logon timestamp: Mon Dec 21 00:30:32 2015 polling frequency: every 10 second(s) success(34192), fail(5) LDAP query: success(4510), fail(0) LDAP max group query period(seconds): 1 most recent connection status: connected Group Filter: CN=ITTest,OU=IT,OU=Managed Groups,DC=xxx,DC=yyy,DC=com+CN=Internet,OU=Managed Groups,DC=xxx,DC=yyy,DC=com+CN=InternetInbox,OU=Managed Groups,DC=xxx,DC=yyy,DC=com,DC=lv+CN=InternetInboxFiles,OU=Managed Groups,DC=xxx,DC=yyy,DC=com=lv+CN=InternetUL,OU=Managed Groups,DC=xxx,DC=yyy,DC=com

 

Can you help me find my mistakes

 

 

 

 

 

 

boneyard
Valued Contributor

jekateryna it is not wise to just add your question to another thread. in such cases it makes more sense to start your own thread / question. as for your issue, it seems IP related. can your Fortigate on location B reach the configured LDAP server at location A? did you have the firewalls policy and routing setup correctly?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors