Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jjm1971
New Contributor

Fortigate FSSO Polling

I am configuring FSSO using the polling method and I am seeing some strange results. The Fortigate is seeing the user logon event and I can see the corresponding Kerberos event IDs 4768 and 4769 on the AD server, however the Fortigate is then logging a logoff event almost instantly for that same user.  

 

As far as I understand, polling mode only reads events 4768 and 4769.  On the server security event log, there is a logoff event (4634), even though the user is still logged onto the machine, not sure why that is being logged by the AD server.

 

Has anyone come across this type of behaviour before?  Not sure if this is expected, however it means that the FSSO groups can't be used.  I'm aware that this is not the recommended method for FSSO, however I have a customer who wants to use this (until I can persuade them to use DC agent mode).

 

Thanks

 

John

 

FortiGate 

1 Solution
pminarik

Try adding the suffix as "default-domain" to the FSSO entry (CLI only):
config user fsso-polling

edit <id>

set default-domain <domain-suffix here>

end

[ corrections always welcome ]

View solution in original post

4 REPLIES 4
pminarik
Staff
Staff

The logoff event 4634 is not used by any FSSO solution (FGT itself, Collector Agent, FAC) for exactly the reason you outlined - it has no relation to whether a user has actually logged out of their workstation.

 

If you're getting instant kicks out of FSSO, the reason must be something else. Check authd + fssod debug outputs, reach out to TAC if you need help parsing them.

[ corrections always welcome ]
jjm1971

Thanks pminarik

 

I found what the issue was through the fssod debug, the time was out between the Fortigate and the AD server

[process_logon_time_stats:101] logon(john:10.245.225.41)'s effective time(1673970919) on Fortigate is before that(1673971018) on AD server. Please sync the time of Fortigate and AD server.

........

[auth_svr_check_obsolete_logon:840] the logon item(john:10.245.225.41) is obsolted at the time(Tue Jan 17 15:56:58 2023
) for its time is (Tue Jan 17 15:56:58 2023

 

So it looks like it was logging the user off again.  However in the course of looking at the debug I have come across another issue which I can't seem to fix as yet.

 

The Fortigate tries a DNS query for the workstation after it has the logon information, but that is failing as there is no domain associated with it, the response is a SERVFAIL.

 

[dns_parse_resp:133] 2: DNS response received for host WINDOWS10-2 is_ip6 0, id 11
[dns_parse_resp:149] rcode err 2
[logon_dns_callback:290] failed to resolve logon-WINDOWS10-2 in vdom Lab
[dns_parse_resp:133] 2: DNS response received for host WINDOWS10-2 is_ip6 1, id 12
[dns_parse_resp:149] rcode err 2
[logon_dns_callback:290] failed to resolve logon-WINDOWS10-2 in vdom Lab

 

I've added a local domain under the DNS settings, however it doesn't appear to take effect with these requests.  I'm using VDOMs by the way, I would have thought adding a local domain in the global DNS settings would work but it doesn't.  I've specified the DNS servers for this VDOM, although I can't see a way of adding a domain to a VDOM specifically.  I assume this is only done globally.

 

 

pminarik

Try adding the suffix as "default-domain" to the FSSO entry (CLI only):
config user fsso-polling

edit <id>

set default-domain <domain-suffix here>

end

[ corrections always welcome ]
jjm1971
New Contributor

Thanks, that's fixed it!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors