Hi everybody I'm currently trying to set up single sign on, and things are more painful than I initially thought. I'm currently running 5.6.3 FortiOS version on Fortigate 201E appliance. My goal is to retrieve user logon from LDAP server so that I can use FSSO feature in my rulebase, allowing users to authenticate their windows session and then be authorized through the firewall according to the policy base.
For this I want to use the polling method, avoiding to install additionnal software on the customer AD server. So first, I have configured my LDAP server "User and Device -> LDAP Server -> create new" which is OK ("Test Connectivity" button says "Successful")
Then I try to configure User and Device -> Single Sign On part, but here is where it fails. I put a name on my SSO configuration, then I reuse the same credentials than those used in LDAP server (I guess this is what needs to be done), and I enable polling I can see the users tree appearing, but when i go back on meny User and Device -> Single Sign On, i see a status "Disconnected" If I make a packet capture, I see the firewall establishing a tcp connection with LDAP server, which succeeds, but then the fortigate send a SMB negotiate protocol Request that is immediatly TCP reseted by the LDAP. My customer asked me which SMB version fortigate used but I didn't find this information. It is several days that I'm breaking my brain on this, so your help would be highly appreciated :) I'm sorry that I couldn't insert more pictures but it seems that only 1 attachment is authorized per post. Thanks per advance Benjamin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello dear all
It seems that we found out the solution.
We reproduced the configuration in our lab, and we disabled SMBv1 on the Active Directory server, and obtained the same symptoms.
So it appears that the Fortigate uses SMBv1 for Active Directory polling.
I didn't find the way to force v2 on the 201E, if anyone has this information...
Thanks per advance
Regards
Benjamin
Hi Benjamin,
I've been under the impression that this is now fixed with 5.6.3 GA. I've troubleshooted with these commands:
diagnose debug application fssod -1
dia deb fsso-polling detail 1 dia deb fsso-polling client
diagnose debug authd fsso list
On my SMBv2 enabled (SMBv1 disabled) Windows AD Server it works fine now; status=connected. Also, if possible make a packet trace on the interface where the AD server is, I've spotted some authentications errors on my side..
Cheers,
B.
Hi Boris
Thank you for your feedback.
What is version 5.6.3 GA ? I only know about 5.6.3.
Anyway we finally installed a collector agent and the topology works fine now, CA is much more flexible than simple polling.
Regards
Benjamin
bca wrote:What is version 5.6.3 GA ? I only know about 5.6.3.
Hey there Benjamin,
GA means "General Availability" in other words "5.6.3".
I've been playing a bit with FSSO and towards my readings CA based polling is more scalable indeed. Regards,
Boris
hello
i still have this problem
any reason why this error occurred ?
any solution ??
why fortinet is too weak in solving problems ?
there is no usable document about this problem, i'm thinking why ?
really no one has such this problem !!??
Hi Gabana,
more complicated issues which require to share some sensitive information/debugs/config parts are unlikely to be solved on forums. Maybe it's the time to open a support ticket? I would definitely suggest to go this way.
Regards,
Fishbone)(
smithproxy hacker - www.smithproxy.org
Hi
i think the problem is now clear for me
fortigate uses SMBv1 to poll active directory logon events.
its now prohibited because of security issues.
so the unit keep disconnected.
can i force fortigate unit to use SMBv2 ??
Hello All,
I was having issues with FSSO disconnected after upgrading to FortiOS 5.6.2 and then 5.6.3.
While reviewing the CLI options I realized that *port is required but it wasn't set, so when I entered the command set port 8000 (the port number that you have configured in the collector agent), it connected immediately.
config user fsso
edit YOURFSSO
set port 8000
set server a.b.c.d
set password yourpassword
Hope this helps,
Arismonty
Dominican Republic
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.