Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robinct
New Contributor

FortiGate SSO users using RODC

I'm at initial setup of FortiGate SSO. I'm currently using the option with an installed Collector Agent that are polling our DC's.

 

The problem comes when users are logging in to one of the RODC's, and the client are getting the workstation IP of the RODC, instead of their respective workstations.

 

Would installing DC agents solve this, or is there another way around this?

4 REPLIES 4
xsilver_FTNT
Staff
Staff

I would try to put IP addresses of RODC servers to FSSO registry key "dc_agent_ignore_ip_list" of Collector.

Which supposed to be )on 64bit system) in [HKEY_LOCAL_MACHINE\software\WOW6432Node\fortinet\fsae\collectoragent]

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

robinct

xsilver wrote:

I would try to put IP addresses of RODC servers to FSSO registry key "dc_agent_ignore_ip_list" of Collector.

Which supposed to be )on 64bit system) in [HKEY_LOCAL_MACHINE\software\WOW6432Node\fortinet\fsae\collectoragent]

Thanks. Found the key. Tested briefly for a couple of hours, and the only difference seems to be that the users aren't being registered at all now. I will leave it running for a while longer

xsilver_FTNT

There is KB https://kb.fortinet.com/kb/documentLink.do?externalID=FD36364 and old blog post of MSFT on how RODC works .. https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authe...It's a bit old post but I guess that there is not much of a new stuff since then.

 

So, as RODC is basically cache for logons and read-only, then if user authenticates locally, it might NOT generate any event, but if user is not cached (pre-cached as described in MSFT post) then logon is proxied from RODC to writable DC. And as originator is RODC then I gues sthis is reason why writable DC has RODC as 'workstation' where user logged in. Pre-cached passwords on RODC via admin action and then kept by password replication policy might help.

I'm referring to part: "When a user authenticates to an RODC a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Windows Server 2008 Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC."

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

FrancoisBlanchon
New Contributor

Hi Guys,

I am currently assisting my customer for FSSO implementation. To be honest I do not clearly understand this thread. Should I install DC Agent on RODC or not ? will I be able to get the users logon's information from remote small sites with local RODC ? With their real IPs or with the useless RODC IP address ?

If someone can clarify this point it could be great.

Thanks a lot.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors