Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bca
New Contributor

FSSO keeps disconnected

Hi everybody I'm currently trying to set up single sign on, and things are more painful than I initially thought. I'm currently running 5.6.3 FortiOS version on Fortigate 201E appliance. My goal is to retrieve user logon from LDAP server so that I can use FSSO feature in my rulebase, allowing users to authenticate their windows session and then be authorized through the firewall according to the policy base.

For this I want to use the polling method, avoiding to install additionnal software on the customer AD server. So first, I have configured my LDAP server "User and Device -> LDAP Server -> create new" which is OK ("Test Connectivity" button says "Successful")

 

Then I try to configure User and Device -> Single Sign On part, but here is where it fails. I put a name on my SSO configuration, then I reuse the same credentials than those used in LDAP server (I guess this is what needs to be done), and I enable polling I can see the users tree appearing, but when i go back on meny User and Device -> Single Sign On, i see a status "Disconnected" If I make a packet capture, I see the firewall establishing a tcp connection with LDAP server, which succeeds, but then the fortigate send a SMB negotiate protocol Request that is immediatly TCP reseted by the LDAP. My customer asked me which SMB version fortigate used but I didn't find this information. It is several days that I'm breaking my brain on this, so your help would be highly appreciated :) I'm sorry that I couldn't insert more pictures but it seems that only 1 attachment is authorized per post. Thanks per advance  Benjamin

10 REPLIES 10
Chris_Colantonio

For giggles, try a domain admin for user in the SSO Server setup. You can leave your ldap server user alone.  It's not optimal for security reasons or password expiration reasons... but that's how I got it to work. You may need to refresh SSO server listing screen even after applying.  I couldn't find where to apply the right ntfs permissions on the DC to lock it down. 5.6.11

 

___________________ FCNSA 3.0 2 FG-620b HA 2 FWF-60B FortiAnalyzer 2000a FortiMail 400
___________________ FCNSA 3.0 2 FG-620b HA 2 FWF-60B FortiAnalyzer 2000a FortiMail 400
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors