Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- Lacework
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO creating Issues when taking RDP of other syst...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO creating Issues when taking RDP of other systems using different domain user account
Hi Fortinet Community,
I would like to explain our scenario and seek your advice on an issue we're encountering.
In our environment, we have configured two Domain Controllers (DCs). Each DC has a separate FSSO-DC Agent and a separate FSSO-Collector Agent. In total, we have two collector agents and two DC-agents across our two DCs. We are using the DC Agent Mode, where the DC agent sends logon information (Windows security logon events) to the collector agents.
The issue we're facing occurs when a user (e.g., 'abdul.rehman@example.com') logs into a Windows machine. The user is successfully authenticated by FSSO and gains access to resources according to the Firewall Policies. At this point, we can see in the FortiGate FSSO Users Dashboard that the user 'abdul.rehman@example.com' is listed with the assigned IP address (e.g., '192.168.100.100').
The problem arises when the user attempts to access one of our internal systems (a server or another PC) using the RDP protocol from the same machine where they are already logged in and authenticated. When the user logs in via RDP using a different account (e.g., 'rdp-user@example.com'—an account created specifically for RDP access within the AD network), FortiGate shows that after 2 to 3 seconds of successful RDP logon, the session with 'abdul.rehman@example.com' disappears. Instead, 'rdp-user@example.com' appears with the same IP address '192.168.100.100', even though 'abdul.rehman@example.com' is still logged in. Consequently, 'abdul.rehman@example.com' can no longer access resources until they log off and log back in.
Could you suggest what might be causing this issue and where to start troubleshooting?
- How can we troubleshoot which authentication protocol is being used during these processes?
- Is it possible that this issue is related to NTLM-based authentication?
- Should we consider moving to Kerberos for testing?
- or is there any other issue other than the mentioned ones?
Any insights or guidance on resolving this issue would be greatly appreciated.
Thank you!
#FortiGate #FortiOS #FSSO
Sheeraz Ali
Solved! Go to Solution.
Sheeraz Ali
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would you please check this article and confirm that the checkbox for Disable RDP Override setting is enabled:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-RDP-logon-override/ta-p/197159
Hope this help
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello sheerazali,
Can you please check event log in server because if you rdp in different pc then that pc is getting different ip address.
Check on windows server you are able to see another user name and ip in event logs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would you please check this article and confirm that the checkbox for Disable RDP Override setting is enabled:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-RDP-logon-override/ta-p/197159
Hope this help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FortiArt
As i already mentioned that we are not running our Collector Agent as Polling Mode. We are running Collector Agent with DC-Agent in DC-Agent Mode. The Guide you provided is related to Polling Mode.
Sheeraz Ali
Sheeraz Ali
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FortiArt
Please ignore the previous comment & confirm that if use use "Disable RDP Override" option does it impact our services as all these are in production currently.
Sheeraz Ali
Sheeraz Ali
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known limitation, caused by the fact that in this situation the Domain controller records logon events for rdp-user@example.com for BOTH the source PC and the RDP destination PC.
The only proper solution is the RDP override settings, supported only by the two event log polling methods - https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-RDP-logon-override/ta-p/197159 - as @FortiArt has already suggested.
If you must use DC Agent specifically (why?), the only solution is this one:
With the BIG caveat that this will only ever work if you use NTLM to authenticate the RDP connections, which is realisitcally doable only if you connect to the RDP destinations exclusively using their IPs (= never connect to "rdp.server.mydomain.com", always connect to "192.168.123.45").
(This solution works by ignoring NTLM-based logons. Connecting to an RDP destination by its FQDN will trigger Kerberos-based authentication)
[ corrections always welcome ]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How to create server local for... 143 Views
- FortiNAC - LDAP user group 200 Views
- What FortiOS Event Logs should i... 180 Views
- SSL VPN users can`t reach web... 106 Views
- FortiManager - Import Devices using CSV... 35 Views
Labels
-
FortiGate
7,865 -
FortiClient
1,571 -
5.2
801 -
FortiManager
659 -
5.4
639 -
FortiAnalyzer
504 -
6.0
416 -
FortiAP
410 -
FortiSwitch
409 -
5.6
362 -
FortiClient EMS
351 -
FortiMail
296 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
187 -
SSL-VPN
162 -
FortiNAC
153 -
IPsec
146 -
6.4
128 -
FortiGuard
124 -
FortiGateCloud
98 -
FortiSIEM
93 -
FortiCloud Products
93 -
FortiToken
84 -
SD-WAN
80 -
Customer Service
74 -
Wireless Controller
72 -
4.0MR3
64 -
FortiAuthenticator
61 -
FortiProxy
52 -
Firewall policy
51 -
FortiEDR
50 -
FortiADC
49 -
Fortivoice
47 -
FortiDNS
41 -
High Availability
40 -
FortiExtender
39 -
VLAN
39 -
FortiSandbox
38 -
FortiGate v5.4
35 -
ZTNA
35 -
FortiSwitch v6.4
33 -
DNS
33 -
LDAP
33 -
Routing
31 -
SAML
29 -
Interface
29 -
BGP
29 -
Certificate
29 -
NAT
26 -
FortiConnect
25 -
FortiWAN
24 -
Authentication
24 -
SSO
24 -
FortiGate v5.2
23 -
RADIUS
23 -
FortiConverter
22 -
VDOM
21 -
FortiLink
21 -
Virtual IP
19 -
Web profile
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Logging
17 -
FortiMonitor
16 -
Traffic shaping
16 -
Fortigate Cloud
15 -
FortiDDoS
15 -
Application control
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
FortiCASB
12 -
OSPF
12 -
FortiManager v5.0
11 -
SNMP
11 -
SSID
11 -
FortiPAM
11 -
Static route
11 -
Web application firewall profile
11 -
IP address management - IPAM
11 -
FortiRecorder
10 -
Admin
10 -
WAN optimization
10 -
4.0MR2
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiGate v4.0 MR3
8 -
FortiManager v4.0
8 -
FortiBridge
8 -
Automation
8 -
System settings
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
IPS signature
7 -
Traffic shaping policy
7 -
Proxy policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Security profile
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
FortiDirector
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Fabric connector
4 -
Web rating
4 -
Fortinet Engage Partner Program
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
Internet service database
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
FortiNDR
2 -
Application signature
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
API
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Authentication rule and scheme
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1 -
Cloud Management Security
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.