Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FSSO authentication issues

Hello, I'm configuring a 601E for my company. I believe we are having some issues around FSSO - here are my scenarios.


I am using FSSO collector agents in polling mode using event logs with WMI


If you are on WiFi and authenticated, should you plug into ethernet you will not be authenticated until you sign out/sign in - lock/unlock does not work. This also happens the other way around. It is not an issue with our DHCP leases i checked this first.


From what I can tell, when a lock/unlock occurs a 4768 event is created, as i say this does not authenticate. When a sign out/sign in is done i see 4768 and 4624 event. The 4624 event seems to be what triggers authentication.


This does not seem to be working as intended to me and i can't find anything about it.





you can try to change the polling event subset to a different one in the FSSO Collector Agent Advanced settings.

The default one is 0 which should also now take into account event ID 4624, however you might try with a larger subset like 2 which should check events 672, 673, 680, 4768, 4769, 4776, 4624.

You can check this link for further info:


Hey, apologies i did not mention - i am already using ID 2, I'm unable to use ID 0 because we also need RDP override enabled.


ID 2 has the range of events that we want to cover, the problem is authentication is only triggering for event 4624 and non of the others, 4768 in particular I would expect to be accepted but that doesnt seem to be happening.




not directly related, but you can use any freely definable set of events to listen for, 0-2 are just combinations, and you could put in 4768,4624 together, or any sort of the events that are supported according to the KB shared earlier.


Now more related:

4768 should come together with a 4769 as well. Crosscheck that these two are together in the event log.


If there is a logon event, the Collector can take it and use it. If there is no logon event, the Collector cannot work with it.


What I think you are trying to achieve though:

> If you are on WiFi and authenticated, should you plug into ethernet you will not be authenticated until you sign out/sign in - lock/unlock does not work

The Collector can change your existing user entry to reflect the latest IP. It will by default try to resolve the hostname IP every 60 seconds after it finished the last round of it.

Behaviour should be:

- plug in the ethernet cord or docking station

- host updates the DNS server with the new IP address, as result the A record of the user is updated.

- Collector will see the IP has changed with the 60 seconds interval and change the IP to the new IP.

The requirement is of course that the DNS update and resolution works. nslookup from the domain member host where the Collector is installed would help to verify that is going correct.


Best regards,



Top Kudoed Authors