Hello forum,
We are using a fortigate 100D (v5.2.3,build670 (GA)) and try to configure FSSO-polling to a windows 2012 R2 AD.
we have configured LDAP (it works fine) and connection status is succesful. We are able to see all LDAP tree and LDAP authentication is working fine. We are using LDAP groups (for SSL VPN access).
But problem comes when we try to create the FSSO server.
using "diag debug fsso-polling detail" we get:
AD Server Status: port=auto username=administrator read log offset=0, latest logon timestamp: Thu Jan 1 03:00:00 1970
polling frequency: every 10 second(s) success(0), fail(1069) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 most recent connection status: err: server can not be accessible
- We have tried with AD server firewall disabled and the user we are using is actually the built-in administrator account.
- We tried to configure FSSO-polling with also another AD (2003) and it is working fine.
Does anyone came across this problem with windows 2012 R2 before?
Thanks for any suggestions in advance,
Yiannis
Hi Yianis,
Do you use Win Server 2012 R2 enterprise edition?
OMYN
Technical Consultant | Indonesia CCNP Security, Fortinet NSE
Hi Siomyn,
Thanks for the response!
It is standard edition.
Some peoples already discuss about this, they say "Windows server 2012 is not officially supported with FortiOS yet. The account specified in FSSO configuration must be member of domain administrators. FSSO look for the log on and off events (4768, 4769 and 4776) from the DCs, these logs are not enalbled by default on Windows server 2012. Please make sure these logs are enabled in the windows server."
source : https://www.linkedin.com/grp/post/1769457-229334710
But maybe you can makesure to the TAC about this case ...
OMYN
Technical Consultant | Indonesia CCNP Security, Fortinet NSE
Another thing you can check,
Is the Windows Server 2012 directly connected to the firewall or is there L3 network in between ?
If it is, you might need to set the "source-ip" in CLI under the FSSO polling configuration.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Hi selective,
It is directly connected (just one lan).
Anyways thanks for your response!
Hi everyone,
On my FGT the command [style="background-color: #c0c0c0;"]#diag deb[/style][style="background-color: #c0c0c0;"]ug fsso[/style][style="background-color: #c0c0c0;"]-polling[style="line-height: 25.2000007629395px;"] detail[/style][/style] returns "fsso daemon is not running". My FortiOS is 5.2.3. I don't know why.
[style="background-color: #c0c0c0;"]#diag deb[/style]ug fsso-polling[style="background-color: #c0c0c0;"] detail [/style]
Elthon Abreu FCNSA v5
We have the same problem.
The only thing which helps so far on the 2012R2 is to give the Fortinet Service Account User Domain Admin rights, then it works but we are searching for a other solution
hello dear,
have problems and questions with FSSO.
I use Windows Server 2003 as LDAP server and 5 fortigates (30D, 60D, 90D and 92D) witch connected one with other from dedicated line or VPN. In main office and one secondary is LDAP servers and 3 others secondary offices no.
actually we have this scheme
Office B (FG60D)
| VPN
office C ---------------- Office A ----------------- Office D
(FG30D) VPN (FG92D) vpn (FG 30D)
L1, L2
| dedicated line
Office D (FG90D)
L3
L1, L2, L3 - Ldap servers
I want to use in all offices FSSO. LDAP Servers working fine in all offices
FG60D# sh user ldap config user ldap edit "L1" set server "192.168.x.y" set source-ip 192.168.z.z set cnid "samAccountName" set dn "DC=yyy,DC=xxx,DC=com" set type regular set username "CN=admin,CN=Users,DC=yyy,DC=xxx,DC=com" set password-expiry-warning enable set password-renewal enable next end
In offices without local LDAP server we are using source-ip option.
Now I trying to setup FSSO in Office B and A.
In office B
FG60D # sh user fsso-polling config user fsso-polling edit 1 set server "192.168.x.y" set user "admin" set password ENC set ldap-server "L1" config adgrp edit "CN=ITTest,OU=IT,OU=Managed Groups,DC=yyy,DC=xxx,DC=com" next end next end
FG60D # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.x.y),ip=192.168.x.y,source(security),users(0) port=auto username=admin read log offset=0, latest logon timestamp: Thu Jan 1 02:00:00 1970 polling frequency: every 10 second(s) success(0), fail(11740) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 most recent connection status: err: server can not be accessible Group Filter: CN=ITTest,OU=IT,OU=Managed Groups,DC=yyy,DC=zzz,DC=com
I understand that I miss option source-id for fsso, but can't find where need to used it.
Office A.
Viskalu21-FG # sh user fsso-polling config user fsso-polling edit 1 set server "192.168.x.y" set user "admin" set password ENC set ldap-server "L1" config adgrp edit "CN=ITTest,OU=IT,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=Internet,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=InternetInbox,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=InternetInboxFiles,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next edit "CN=InternetUL,OU=Managed Groups,DC=xxx,DC=yyy,DC=com" next end next end
FG92D # diag debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
FG92D # diag debug fsso-polling detail AD Server Status: ID=1, name(192.168.x.y),ip=192.168.x.y,source(security),users(0) port=auto username=admin read log offset=593486335, latest logon timestamp: Mon Dec 21 00:30:32 2015 polling frequency: every 10 second(s) success(34192), fail(5) LDAP query: success(4510), fail(0) LDAP max group query period(seconds): 1 most recent connection status: connected Group Filter: CN=ITTest,OU=IT,OU=Managed Groups,DC=xxx,DC=yyy,DC=com+CN=Internet,OU=Managed Groups,DC=xxx,DC=yyy,DC=com+CN=InternetInbox,OU=Managed Groups,DC=xxx,DC=yyy,DC=com,DC=lv+CN=InternetInboxFiles,OU=Managed Groups,DC=xxx,DC=yyy,DC=com=lv+CN=InternetUL,OU=Managed Groups,DC=xxx,DC=yyy,DC=com
Can you help me find my mistakes
jekateryna it is not wise to just add your question to another thread. in such cases it makes more sense to start your own thread / question. as for your issue, it seems IP related. can your Fortigate on location B reach the configured LDAP server at location A? did you have the firewalls policy and routing setup correctly?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.