Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kcerb
New Contributor III

Created on ‎09-24-2014 04:52 AM

FSSO in 5.2 problem

Hi, on Fortigate 100D ver 4.x we used a FSSO with FSSO Agent installed on Active Directory server with no trouble. After change firmware to 5.2 and FSSO Agent to 4.3.0159, users started complain about websites: sometimes websites opened and sometimes not. I decided to change SSO method to Polling. I configured everything with no luck. no users are shown in User & Device -> Monitor -> Firewall -> Show all FSSO Logons. The " diagnose debug authd fsso server-status" command shows only " Local FSSO Agent" !! which is not visible under User & Device -> Single Sign-On (I even deleted everything I created before): LDAP test: pass. When I add a SSO, the status is always grey X mark.

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
Qo41199.jpg
Preview file
67 KB
Labels:
28883
0 Kudos
1 Solution
Hassan_Fahmy
New Contributor II

Created on ‎08-04-2015 04:06 AM

Solved by 

Execute Fsso Refresh 

add Selected group from FSSO agent @ AD 

add Selected group from Single sign on @ Fortigate FW

Done 

View solution in original post

3660
0 Kudos
6 REPLIES 6
kcerb
New Contributor III

Created on ‎09-25-2014 06:06 AM

OK, the greyed-out X mark solved: User must be " Administrators" group member. Now I can see users in monitor, but I can not see members of default " Domain users" group. This group is of course mapped in " User & Device -> User Groups" Does anybody have some idea about that?

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
3614
0 Kudos
Hassan_Fahmy
New Contributor II

Created on ‎08-01-2015 09:32 AM

Same Issue any update !!!

 

 

3614
0 Kudos
Hassan_Fahmy
New Contributor II

Created on ‎08-04-2015 04:06 AM

Solved by 

Execute Fsso Refresh 

add Selected group from FSSO agent @ AD 

add Selected group from Single sign on @ Fortigate FW

Done 

3661
0 Kudos
daac
New Contributor
In response to Hassan_Fahmy

Created on ‎10-06-2015 01:45 PM

solved

 

via cli

 

FORTI # show user fsso config user fsso     edit "Local FSSO Agent"         set ldap-server "LDAP_DA"         set server "127.0.0.1"     next end FORTI # config user fsso FORTI (fsso) # delete Local FSSO Agent

3613
0 Kudos
Dipen
New Contributor III
In response to daac

Created on ‎10-08-2015 04:01 AM

Hi

 

First please stick to FSSO DC Agent Mode only (Forget Polling mode). Please do not have any LDAP Dependencies.

Firstly check "Currently Logon Users" in Collector Agent. Then check Group Filters in Collector Agent.

Finally check if FSSO Users are appearing in User >> Monitor >> Show FSSO Logons.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
3613
0 Kudos
raffi
New Contributor
In response to Dipen

Created on ‎03-16-2016 11:52 AM

Dipen is right on the money. The collector is way better of a system imho.

 

 

To answer your question - this is just from what i have seen - The local FSSO agent on the fortigate is used in polling mode. It seems the fortigate itself will function as a collector server polling AD much like a collector would to the agents. Without the agent this method works, but it seems a little more solid with collector server and agents deployed.

 

As for the gray X, this was happening to me in polling mode too. The issue was my FSSO service account which i did not want to make a domain admin was not added to the "Event Log Readers" group. The LDAP test would pass but it would not have permissions to pull logon events from LDAP servers it is polling.

 

All that said, I suggest the collector and agent mode. Both will work but I have seen better results and have heard more positive feed back from the collector and agents.

3613
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.