Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FSSO user logon Problems
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO user logon Problems
Hello,
i have some strange problems on a 200A 4.0 MR Patch 15.
The FSSO is Runnig with a DC Agent on Domain Controller. DC Agen Version 4.3.0129
so the Problem is... The DC Agents collects the User Logons Properly u can see all the users on "Show logon users", The DC Agent is connected to the Fortigate and if i do diag debug authd fsso server-status it is "connected"
But the user logons are not passed to the Fortigate. if i do diag debug authd fsso list = there is no users, so my FSSO Firewall policy doesn´t work.
do anyone have an idea how to solve this?
NSE 8
NSE 1 - 7
Solved! Go to Solution.
NSE 8
NSE 1 - 7
Labels:
- Labels:
-
4.0MR3
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
as you do not have LDAP bond to FSSO Agent on FGT ('config user fsso'), then you need to have manually specified groups in FGT _AND_ Collector Agent as well.
So what did you set in 'config user adgrp' on FGT has to be (at least those) set on Collector Agent. Use Set Group Filter in Collector GUI. Result should be also visible in registry and exported config , example as below:
[HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent\Filter\Default] "description"="Default filter" "groups"="Example\INTERNET-FULL"
Alternatively, you can set LDAP on FGT towards DC, add that to FSSO Agent, then you have to switch Collector to Advanced mode in Set Directory Access Information. All current group bonds need to be redefined as format will change from MS style DOMAIN\GROUP to LDAP format CN=group,DC=example,dc=com ..
Pro of all that is that from now on you will be able to set group filters right from FGT (no need to touch Collector). Will gain info about exact group position so two groups placed differently in the tree with same name are no problem anymore. And Advanced mode allows group nesting as a bonus. Peronally I do prefer this Advanced mode.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...
And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso
Regards,
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, it look like this 172.16.1.25 is the DC Agent on the Domain Controller.
config user fsso
edit "FSSO_172.16.1.25"
set password ENC NJuMLHH7eY5Qr+B1LcngXhjai9jjV/JoRNWd6k3RPF6IHB/lgZI+GVcJOd+OVCXu3W9TzFKgcT/jSX+p9W+stNx1+vz3zKih6sRKUF3dZTobvfZF
set server "172.16.1.25"
next
end
i do have Group Filter on the Collector Agent with only Groups that i need have to be synchronised
This is the Output of config user adgrp
config user adgrp
edit "Example/ACCESS-INTERNET-ADVANCED"
set server-name "FSSO_172.16.1.25"
next
edit "Example/ACCESS-INTERNET-BASIC"
set server-name "FSSO_172.16.1.25"
next
edit "Example/ACCESS-INTERNET-FULL"
set server-name "FSSO_172.16.1.25"
next
edit "Example/ACCESS-INTERNET-NONE"
set server-name "FSSO_172.16.1.25"
next
diag deb auth fsso server-status
# diag deb authd fsso server-status
# 2015-08-20 17:01:29
Server Name Connection Status Version
----------- ----------------- -------
2015-08-20 17:01:29 FSSO_172.16.1.25 connected FSSO 4.3.0129
diag debug Flow
# diag deb authd fsso refresh-groups
# 2015-08-20 17:03:01 id=36871 trace_id=177 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.1.25:8000->172.16.254.10:9906) from internal."
2015-08-20 17:03:01 id=36871 trace_id=177 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, reply direction"
2015-08-20 17:03:01 id=36871 trace_id=178 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.254.10:9906->172.16.1.25:8000) from local."
2015-08-20 17:03:01 id=36871 trace_id=178 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, original direction"
2015-08-20 17:03:11 id=36871 trace_id=179 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.1.25:8000->172.16.254.10:9906) from internal."
2015-08-20 17:03:11 id=36871 trace_id=179 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, reply direction"
2015-08-20 17:03:11 id=36871 trace_id=180 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.254.10:9906->172.16.1.25:8000) from local."
2015-08-20 17:03:11 id=36871 trace_id=180 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, original direction"
Sylvia wrote:Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...
And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso
Regards,
Sylvia
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sylvia wrote:Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...
And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso
Assuming you checked FSSO CA logs .... Sylvia is right, problems are most likely in group filters.
Here is small overview how it works:
Group filter is list if groups exchanged between Fortigate and FSSO CA which members of groups should be sent to Fortigate. Both Fortigate and FSSO CA can configure this filter. This filter could be in Windows notation, or LDAP groups notation.
From Fortigate you can however specify only LDAP group filter (by selecting LDAP server and groups in FSSO CA configuration).You can find this group list in "config user adgrp". It's not well known this list could be (at your own risk) edited since FortiOS 5.0.4. It might come handy in multidomain environments with single FSSO CA.
In FSSO CA the group filter is organized in registry, based on SN of the unit which connected to it.
It is preferred group filter sent (if configured to do so) from Fortigate. In that case FSSO CA saves this filter in registry under Fortigate's serial number. It's always overwritten (keep in mind this if you use multi-vdom scenario connecting to the same FSSO CA).
It might come handy to specify so called default filter, which is sent to all connecting Fortigates, but only if there is neither specific SN-based filter on CA, nor the filter is received from Fortigate.
Now we have explained how group filters work. But now it also depends how groups are evaluated in FSSO CA! We distinguish between Standard mode (windows group resolution) and Advanced mode (LDAP group resolution). Since users' groups have to match group filter, FSSO CA AD mode has to match too. If group filter is in Windows notation, you have to set Standard mode. If you set group filter with LDAP groups, you have to use Advanced mode.
Let me know if you have more questions.
Cheers,
Ales
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
as you do not have LDAP bond to FSSO Agent on FGT ('config user fsso'), then you need to have manually specified groups in FGT _AND_ Collector Agent as well.
So what did you set in 'config user adgrp' on FGT has to be (at least those) set on Collector Agent. Use Set Group Filter in Collector GUI. Result should be also visible in registry and exported config , example as below:
[HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent\Filter\Default] "description"="Default filter" "groups"="Example\INTERNET-FULL"
Alternatively, you can set LDAP on FGT towards DC, add that to FSSO Agent, then you have to switch Collector to Advanced mode in Set Directory Access Information. All current group bonds need to be redefined as format will change from MS style DOMAIN\GROUP to LDAP format CN=group,DC=example,dc=com ..
Pro of all that is that from now on you will be able to set group filters right from FGT (no need to touch Collector). Will gain info about exact group position so two groups placed differently in the tree with same name are no problem anymore. And Advanced mode allows group nesting as a bonus. Peronally I do prefer this Advanced mode.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So Problem Solved but it was realy not easy :=)
We tried with an System Engineer from Fortinet Support 2h together and tried everything, i think this was just some kind of a bug of this old versions.
After deleting and reinstalling all again it works now, but no one knows what was the real Problem and if that will occur again soon.
I hope it will work for 2 Month from now, then we do a Migration to 200D and everything should be ok.
Thank you all for your Help!
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,782 -
FortiClient
1,783 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
480 -
Fortiap
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
193 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
108 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1110 | |
| 758 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.