Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO-Polling (v.5.2.3) and windows 2012 R2 issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO-Polling (v.5.2.3) and windows 2012 R2 issue
Hello forum,
We are using a fortigate 100D (v5.2.3,build670 (GA)) and try to configure FSSO-polling to a windows 2012 R2 AD.
we have configured LDAP (it works fine) and connection status is succesful. We are able to see all LDAP tree and LDAP authentication is working fine. We are using LDAP groups (for SSL VPN access).
But problem comes when we try to create the FSSO server.
using "diag debug fsso-polling detail" we get:
AD Server Status: port=auto username=administrator read log offset=0, latest logon timestamp: Thu Jan 1 03:00:00 1970
polling frequency: every 10 second(s) success(0), fail(1069) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 most recent connection status: err: server can not be accessible
- We have tried with AD server firewall disabled and the user we are using is actually the built-in administrator account.
- We tried to configure FSSO-polling with also another AD (2003) and it is working fine.
Does anyone came across this problem with windows 2012 R2 before?
Thanks for any suggestions in advance,
Yiannis
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yianis,
Do you use Win Server 2012 R2 enterprise edition?
OMYN
Technical Consultant | Indonesia CCNP Security, Fortinet NSE
OMYN
Technical Consultant | Indonesia CCNP Security, Fortinet NSE
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Siomyn,
Thanks for the response!
It is standard edition.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some peoples already discuss about this, they say "Windows server 2012 is not officially supported with FortiOS yet. The account specified in FSSO configuration must be member of domain administrators. FSSO look for the log on and off events (4768, 4769 and 4776) from the DCs, these logs are not enalbled by default on Windows server 2012. Please make sure these logs are enabled in the windows server."
source : https://www.linkedin.com/grp/post/1769457-229334710
But maybe you can makesure to the TAC about this case ...
OMYN
Technical Consultant | Indonesia CCNP Security, Fortinet NSE
OMYN
Technical Consultant | Indonesia CCNP Security, Fortinet NSE
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another thing you can check,
Is the Windows Server 2012 directly connected to the firewall or is there L3 network in between ?
If it is, you might need to set the "source-ip" in CLI under the FSSO polling configuration.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi selective,
It is directly connected (just one lan).
Anyways thanks for your response!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
On my FGT the command [style="background-color: #c0c0c0;"]#diag deb[/style][style="background-color: #c0c0c0;"]ug fsso[/style][style="background-color: #c0c0c0;"]-polling[style="line-height: 25.2000007629395px;"] detail[/style][/style] returns "fsso daemon is not running". My FortiOS is 5.2.3. I don't know why.
[style="background-color: #c0c0c0;"]#diag deb[/style]ug fsso-polling[style="background-color: #c0c0c0;"] detail [/style]
Elthon Abreu FCNSA v5
Elthon Abreu FCNSA v5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same problem.
The only thing which helps so far on the 2012R2 is to give the Fortinet Service Account User Domain Admin rights, then it works but we are searching for a other solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello dear,
have problems and questions with FSSO.
I use Windows Server 2003 as LDAP server and 5 fortigates (30D, 60D, 90D and 92D) witch connected one with other from dedicated line or VPN. In main office and one secondary is LDAP servers and 3 others secondary offices no.
actually we have this scheme
Office B (FG60D)
| VPN
office C ---------------- Office A ----------------- Office D
(FG30D) VPN (FG92D) vpn (FG 30D)
L1, L2
| dedicated line
Office D (FG90D)
L3
L1, L2, L3 - Ldap servers
I want to use in all offices FSSO. LDAP Servers working fine in all offices
FG60D# sh user ldap config user ldap edit "L1" set server "192.168.x.y" set source-ip 192.168.z.z set cnid "samAccountName" set dn "DC=yyy,DC=xxx,DC=com" set type regular set username "CN=admin,CN=Users,DC=yyy,DC=xxx,DC=com" set password-expiry-warning enable set password-renewal enable next end
In offices without local LDAP server we are using source-ip option.
Now I trying to setup FSSO in Office B and A.
In office B
FG60D # sh user fsso-polling config user fsso-polling edit 1 set server "192.168.x.y" set user "admin" set password ENC set ldap-server "L1" config adgrp edit "CN=ITTest,OU=IT,OU=Managed Groups,DC=yyy,DC=xxx,DC=com" next end next end
FG60D # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.x.y),ip=192.168.x.y,source(security),users(0) port=auto username=admin read log offset=0, latest logon timestamp: Thu Jan 1 02:00:00 1970 polling frequency: every 10 second(s) success(0), fail(11740) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 most recent connection status: err: server can not be accessible Group Filter: CN=ITTest,OU=IT,OU=Managed Groups,DC=yyy,DC=zzz,DC=com
I understand that I miss option source-id for fsso, but can't find where need to used it.
Office A.
Viskalu21-FG # sh user fsso-polling config user fsso-polling edit 1 set server "192.168.x.y" set user "admin" set password ENC set ldap-server "L1" config adgrp edit "CN=ITTest,OU=IT,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=Internet,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=InternetInbox,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=InternetInboxFiles,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=InternetUL,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next end next end
FG92D # diag debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
FG92D # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.x.y),ip=192.168.x.y,source(security),users(0) port=auto username=admin read log offset=593486335, latest logon timestamp: Mon Dec 21 00:30:32 2015 polling frequency: every 10 second(s) success(34192), fail(5) LDAP query: success(4510), fail(0) LDAP max group query period(seconds): 1 most recent connection status: connected Group Filter: CN=ITTest,OU=IT,OU=Managed Groups,DC=xxx,DC=yyy,DC=com+CN=Internet,OU=Managed Groups,DC=xxx,DC=yyy,DC=com+CN=InternetInbox,OU=Managed Groups,DC=xxx,DC=yyy,DC=com,DC=lv+CN=InternetInboxFiles,OU=Managed Groups,DC=xxx,DC=yyy,DC=com=lv+CN=InternetUL,OU=Managed Groups,DC=xxx,DC=yyy,DC=com
Can you help me find my mistakes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jekateryna it is not wise to just add your question to another thread. in such cases it makes more sense to start your own thread / question. as for your issue, it seems IP related. can your Fortigate on location B reach the configured LDAP server at location A? did you have the firewalls policy and routing setup correctly?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Problem with VPN autoconnect 68 Views
- FortiEDR: Unsupported OS 41 Views
- FortiNAC EAP-TLS and MAB Authentication Issue 72 Views
- Issues Mapping Azure Files Storage After... 42 Views
- RADIUS troubleshooting 49 Views
Labels
-
FortiGate
8,522 -
FortiClient
1,724 -
5.2
801 -
FortiManager
716 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
463 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
225 -
FortiWeb
201 -
5.0
196 -
IPsec
191 -
FortiNAC
181 -
FortiGuard
136 -
6.4
128 -
SD-WAN
112 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
85 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
74 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
48 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
41 -
DNS
41 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
SSO
31 -
Interface
31 -
NAT
31 -
RADIUS
30 -
FortiConnect
28 -
FortiLink
27 -
FortiWAN
26 -
Web profile
26 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
21 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Intrusion prevention
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1665 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.