FSSO in 5.2 problem

kcerb · ‎09-24-2014

Hi, on Fortigate 100D ver 4.x we used a FSSO with FSSO Agent installed on Active Directory server with no trouble. After change firmware to 5.2 and FSSO Agent to 4.3.0159, users started complain about websites: sometimes websites opened and sometimes not. I decided to change SSO method to Polling. I configured everything with no luck. no users are shown in User & Device -> Monitor -> Firewall -> Show all FSSO Logons. The " diagnose debug authd fsso server-status" command shows only " Local FSSO Agent" !! which is not visible under User & Device -> Single Sign-On (I even deleted everything I created before): LDAP test: pass. When I add a SSO, the status is always grey X mark.

FGT60B, FGT100A, FGT100D

Hassan_Fahmy · ‎08-04-2015

Solved by

Execute Fsso Refresh

add Selected group from FSSO agent @ AD

add Selected group from Single sign on @ Fortigate FW

Done

View solution in original post

kcerb · ‎09-25-2014

OK, the greyed-out X mark solved: User must be " Administrators" group member. Now I can see users in monitor, but I can not see members of default " Domain users" group. This group is of course mapped in " User & Device -> User Groups" Does anybody have some idea about that?

FGT60B, FGT100A, FGT100D

Hassan_Fahmy · ‎08-01-2015

Same Issue any update !!!

Hassan_Fahmy · ‎08-04-2015

Solved by

Execute Fsso Refresh

add Selected group from FSSO agent @ AD

add Selected group from Single sign on @ Fortigate FW

Done

daac · ‎10-06-2015

solved

via cli

FORTI # show user fsso config user fsso edit "Local FSSO Agent" set ldap-server "LDAP_DA" set server "127.0.0.1" next end FORTI # config user fsso FORTI (fsso) # delete Local FSSO Agent

Dipen · ‎10-08-2015

Hi

First please stick to FSSO DC Agent Mode only (Forget Polling mode). Please do not have any LDAP Dependencies.

Firstly check "Currently Logon Users" in Collector Agent. Then check Group Filters in Collector Agent.

Finally check if FSSO Users are appearing in User >> Monitor >> Show FSSO Logons.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

raffi · ‎03-16-2016

Dipen is right on the money. The collector is way better of a system imho.

To answer your question - this is just from what i have seen - The local FSSO agent on the fortigate is used in polling mode. It seems the fortigate itself will function as a collector server polling AD much like a collector would to the agents. Without the agent this method works, but it seems a little more solid with collector server and agents deployed.

As for the gray X, this was happening to me in polling mode too. The issue was my FSSO service account which i did not want to make a domain admin was not added to the "Event Log Readers" group. The LDAP test would pass but it would not have permissions to pull logon events from LDAP servers it is polling.

All that said, I suggest the collector and agent mode. Both will work but I have seen better results and have heard more positive feed back from the collector and agents.