Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Help me configure FSSO with two DC

Hi,

I have problem configuring FSSo with two domain controllers DC1 and DC2, DNS priority for all clients is set DC1 then DC2 so all users authenticate on DC1, I have installed collector agents with DC agents on DC1 and DC2, but agent on DC1 is configured to send its data to DC2. On both Collector agents both DC are checked to be monitored for user login events.

Fortigate is connected to DC2 as "Primary FSSO agent"  - and it list AD groups correctly. The problem is almost all logins on DC2 are listed as "Not verified" - I don't know how to fix this.

10 REPLIES 10
Sheikh
Staff
Staff

Hi Tutek,

 

Please try the steps mentioned in the below KB article.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-User-status-Not-Verified-on-the-FSSO...

 

regards,

 

Sheikh

 

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
Tutek

But what is the problem:  on DC1 almost all domain users in collector agent have status OK, at the same time on the second collector agent od DC2 the same users have status "Not verified".  Both DC are in the same subnet and managed by the same ipv4 fortigate firewall policy.

Tutek
Contributor

Hi,

if collector agent (with configuration user to retrieve logs) is installed on DC2, on DC1 is only installed DC agent (during installation here there is no account configuration responsible for retrieve logs) so what user is used on DC2 to collect login events?

vsahu

Hello, 


Fortinet Single Sign On Agent Service is suggested to run with the privileges of a domain admin account. It will assure that whatever mode or feature is selected it will have enough permissions to complete its own task, If you do not want to use domain admin account you follow below link

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Fortinet-Single-Sign-On-Agent-...

 

Regards,
Vishal
akanibek

If you are using DC agent, no needs for user to retrieve logon events from DC1. DC Agent from DC1 will send logon event to Collector agent itself.

 

Asset
Tutek
Contributor

Anyone could help me with that, it looks that collector agent on DC1 authorize users, but this authorized users never shows up on DC2 where connector agent is connected to fortigate, and because of that users don't have internet access.

Tutek
Contributor

FSSO on DC2 shows currently logged users: 127

Tutek_0-1678726616724.png

 

At the same time on DC1:

Tutek_1-1678726660735.png

 

As I said both collector share data between each other so everything should be the same.

Markus_M

Hi Tutek,

 

the FortiGate is connected to only one collector. The one collector that is active, will do workstation checks and remove users if they are not logged in anymore.

The Collector that is not active, will not do the workstation checks until it is active. If it was active it will have done until it got inactive.

 

"Not verified" is not directly related as it means that the workstation WAS done BUT failed. The workstation check was unable to verify the user status. Then the user is put to "not verified". That in turn starts the "dead entry timer" (default = 480 minutes).

Hope this clarifies this a bit.

 

Best regards,

 

Markus

 

Tutek
Contributor

Please delete.

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors