Hello,
The answer is probably here:
got rpc eventlog read command smbcd: rpccli_eventlog_open:121 /Chroot_Build/19/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-121: connect err(NT_STATUS_NOT_SUPPORTED) smbcd: rpc_cmd_eventlog_read:919 open rpc err(10.0.3.2:administrator:0) from security log!, Please check correct server name, user name, password, port and log source
Often, the issue is that the user used in the fsso configuration does not have sufficient rights to read event log. Fastest check would be to use domain admin with correct password.
Best Regards,
Alivo
livo
SW INFO: -Windows Server 2008R2
STATUS: working.
I am login as domain administrator and these need to be changed on GPO
DC1 type gpmc on cmd right click Edit on Forest: domain.com/Domains/domain.com/Default Domain Policy click Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Logon
Change these to Success Audit Credential Validation Audit Kerberos Authentication Service Audit Kerberos Service Ticket Operations
Hello,
I face same problem
My FG version is 6.0.9,
My goal is to built firewall policy and use policy with user instead of ip address'
I configured ldap server (user with admin privilege's)
I configured fabric connector (poll active directory), I can see all users, groups from AD but the connector status is down
I tried to debug with following commands:
diagnose debug application fssod -1:- [handle_reply:489] wrong format of data status. len 8 <> 4.
diagnose debug application smbcd -1
- smbcd: smbcd_process_request:947 got cmd id: 6
smbcd: smbcd_process_request:960 got rpc log field.
smbcd: smbcd_process_request:972 got rpc username: <user>@staff.technion.ac.il
smbcd: smbcd_process_request:978 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:982 got rpc port: 0
smbcd: smbcd_process_request:988 got rpc logsrc: security
smbcd: smbcd_process_request:966 got rpc server: x.68.25.x
smbcd: smbcd_process_request:1015 got VFID, 0
smbcd: smbcd_process_request:1105 got rpc eventlog read command
smbcd: rpccli_eventlog_open:144 /Chroot_Build/12/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_smb4eventlog.h-144: evenglog handle get failed.
smbcd: rpc_cmd_eventlog_read:900 open rpc err(x.68.25.x:<user>@staff.technion.ac.il:0) from security log!, Please check correct server name, user name, password, port and log source
My system guy check in AD server and RPC is running
He also checked this:
Default credential validation success
Audit kerberos authentication success
Audit kerberos service ticket operations success
Audit other account logon events success
Any idea or help will be welcomed
Thanks
Hey Rafi,
two things you can check:
- sometimes, there can be issues if the user for polling is configured as 'domain\user' or 'user@domain'; try just username
- there was a change in how Microsoft allows access to security event log API last summer, breaking FSSO polling mode a bit; this is fixed in firmware version 6.2.10, 6.4.7 and 7.0.2
-> if your domain controllers are properly patched, you may be affected by this
-> upgrade FortiGate to 6.2.10, or get a Collector Agent instead to do the polling (Collector Agent is not affected as long as all domain controllers are patched) and have FortiGate connect to the Collector Agent instead.
This is fixed under bug ID 725056, if you want to check FortiGate release notes
Hi,
Thanks you very much for your answer,
I tried any combination with the user name but unfortunately did not work,
So my Options are work with agent or upgrade version
Thanks again
Regards
Rafi
Yeah, in that case, your options are to upgrade the FortiGate or set up collector agent to handle polling instead.
Glad I was able to assist a little :)
Thank you very much
Regards
Rafi
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.