I'm building a test environment to try out the FSSO feature.
My current setup is a following:
One FortiGate 30E
One Windows 2016 AD DC
One Windows 2016 TS
I've set up the LDAP, FSSO part on the Fortigate, installed the AD agent & collector agent on my DC and the TS-agent on my TS.
On my FortiGate, I've created two policies.
Permitting traffic to WAN if member is in my SG_ONE group
Denying traffic to WAN if member is in my SG_TWO group
I can almost get it to work.
When I log in as user1 (member of SG_ONE) I'm permitted access to the internet (my policy one)
When I log in as user2 (member of SG_TWO) I'm denied access to the internet (my policy two)
BUT - after I have logged in as user2, user one is also denied access to the internet, even though they are not in the same security group
On my collector agent, I can see that the TS-agent logs the two different users from my TS, but only user2 is shown as logged in from the DC agent.