Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bca
New Contributor

FSSO keeps disconnected

Hi everybody I'm currently trying to set up single sign on, and things are more painful than I initially thought. I'm currently running 5.6.3 FortiOS version on Fortigate 201E appliance. My goal is to retrieve user logon from LDAP server so that I can use FSSO feature in my rulebase, allowing users to authenticate their windows session and then be authorized through the firewall according to the policy base.

For this I want to use the polling method, avoiding to install additionnal software on the customer AD server. So first, I have configured my LDAP server "User and Device -> LDAP Server -> create new" which is OK ("Test Connectivity" button says "Successful")

 

Then I try to configure User and Device -> Single Sign On part, but here is where it fails. I put a name on my SSO configuration, then I reuse the same credentials than those used in LDAP server (I guess this is what needs to be done), and I enable polling I can see the users tree appearing, but when i go back on meny User and Device -> Single Sign On, i see a status "Disconnected" If I make a packet capture, I see the firewall establishing a tcp connection with LDAP server, which succeeds, but then the fortigate send a SMB negotiate protocol Request that is immediatly TCP reseted by the LDAP. My customer asked me which SMB version fortigate used but I didn't find this information. It is several days that I'm breaking my brain on this, so your help would be highly appreciated :) I'm sorry that I couldn't insert more pictures but it seems that only 1 attachment is authorized per post. Thanks per advance  Benjamin

10 REPLIES 10
bca
New Contributor

Hello dear all

 

It seems that we found out the solution.

We reproduced the configuration in our lab, and we disabled SMBv1 on the Active Directory server, and obtained the same symptoms.

So it appears that the Fortigate uses SMBv1 for Active Directory polling.

I didn't find the way to force v2 on the 201E, if anyone has this information...

 

Thanks per advance

 

Regards

 

Benjamin

FortiBoris_FTNT

Hi Benjamin,

I've been under the impression that this is now fixed with 5.6.3 GA. I've troubleshooted with these commands:

diagnose debug application fssod -1

dia deb fsso-polling detail 1 dia deb fsso-polling client

diagnose debug authd fsso list

 

On my SMBv2 enabled (SMBv1 disabled) Windows AD Server it works fine now; status=connected. Also, if possible make a packet trace on the interface where the AD server is, I've spotted some authentications errors on my side..

 

Cheers,

B.

bca

Hi Boris

 

Thank you for your feedback.

What is version 5.6.3 GA ? I only know about 5.6.3.

Anyway we finally installed a collector agent and the topology works fine now, CA is much more flexible than simple polling.

 

Regards

 

Benjamin

FortiBoris_FTNT

bca wrote:

What is version 5.6.3 GA ? I only know about 5.6.3.

 

Hey there Benjamin,

 

GA means "General Availability" in other words "5.6.3".

I've been playing a bit with FSSO and towards my readings CA based polling is more scalable indeed. Regards,

Boris

Gabana

hello 

i still have this problem

any reason why this error occurred ?

 

any solution ??

Gabana
New Contributor

why fortinet is too weak in solving problems ?

there is no usable document about this problem, i'm thinking why ?

really no one has such this problem !!??

Fishbone_FTNT

Hi Gabana,

more complicated issues which require to share some sensitive information/debugs/config parts are unlikely to be solved on forums. Maybe it's the time to open a support ticket? I would definitely suggest to go this way.

 

Regards,

 Fishbone)(

 

 

smithproxy hacker - www.smithproxy.org

Gabana

Hi

 

i think the problem is now clear for me

fortigate uses SMBv1 to poll active directory logon events.

its now prohibited because of security issues.

so the unit keep disconnected.

can i force fortigate unit to use SMBv2 ?? 

arismonty_beato
New Contributor

Hello All,

 

I was having issues with FSSO disconnected after upgrading to FortiOS 5.6.2 and then 5.6.3.

 

While reviewing the CLI options I realized that *port is required but it wasn't set, so when I entered the command set port 8000 (the port number that you have configured in the collector agent), it connected immediately.

 

config user fsso

edit YOURFSSO

set port 8000

set server a.b.c.d

set password yourpassword

 

 

Hope this helps,

 

Arismonty

Dominican Republic

 

 

 

 

 

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors