can you try the link again? It works for me just fine.
Regarding 2FA at the workstations, no, FSSO doesn't interfere with that; it passively collects login information from domain controllers and doesn't care what else might be going on with the workstations.
Regarding the users not noticing anything - ideally, this is the case.
There can be a few pitfalls with FSSO, however.
-> FSSO tracks one login per IP
-> usually this is the user login
-> if a service account or administrator account performs some activity on the workstation, this can trigger a login event and replace the user login in FSSO, and suddenly the user might no longer match the intended policies, because FSSO and FortiGate believe a different user (with different group/webfilter permissions/etc) is active
-> if a user moves their laptop from Ethernet to Wi-Fi, this usually includes an IP change
-> FSSO would initially still have the old IP information, and the user might lack access on the new IP
-> FSSO regularly resolves workstation names against domain DNS to verify if IP changes happened
-> depending on which DNS server has the user's IP and which DNS server FSSO checks, it could take several minutes for FSSO to notice the IP change and share with FortiGate to allow the user proper access again
This is to say:
- I would strongly suggest setting up a lab/small-scale test before rolling out FSSO company wide
- check what method of detecting logins (DC Agent, or polling) would work best with your environment
- get all the fine-tuning done (such as ignoring administrators/service accounts, having non-FSSO policies in place for devices that can't log in such as printers/IP phones/etc, ensure DNS servers have updated IP information quickly for FSSO to see,...)
-> test the most common scenarios that might be challenging for FSSO (service/admin accounts interfering, IP changes, RDP (as that can generate a login on the remote AND local workstation, which could again replace the original user),...)
- if you have terminal servers, they will need a Terminal Server Agent running on it to also be covered FSSO (FSSO can then distinguish between different users on the same IP based on assigned port-ranges, which FSSO otherwise does not allow for)
Initial configuration of FSSO can be a headache and a half, but everything you check/test/configure in the beginning will ensure it runs smoothly afterwards :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++