Hi,
I have problem configuring FSSo with two domain controllers DC1 and DC2, DNS priority for all clients is set DC1 then DC2 so all users authenticate on DC1, I have installed collector agents with DC agents on DC1 and DC2, but agent on DC1 is configured to send its data to DC2. On both Collector agents both DC are checked to be monitored for user login events.
Fortigate is connected to DC2 as "Primary FSSO agent" - and it list AD groups correctly. The problem is almost all logins on DC2 are listed as "Not verified" - I don't know how to fix this.
Hi Tutek,
Please try the steps mentioned in the below KB article.
regards,
Sheikh
Created on 03-12-2023 10:17 AM Edited on 03-12-2023 10:29 AM
But what is the problem: on DC1 almost all domain users in collector agent have status OK, at the same time on the second collector agent od DC2 the same users have status "Not verified". Both DC are in the same subnet and managed by the same ipv4 fortigate firewall policy.
Hi,
if collector agent (with configuration user to retrieve logs) is installed on DC2, on DC1 is only installed DC agent (during installation here there is no account configuration responsible for retrieve logs) so what user is used on DC2 to collect login events?
Hello,
Fortinet Single Sign On Agent Service is suggested to run with the privileges of a domain admin account. It will assure that whatever mode or feature is selected it will have enough permissions to complete its own task, If you do not want to use domain admin account you follow below link
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-Fortinet-Single-Sign-On-Agent-...
If you are using DC agent, no needs for user to retrieve logon events from DC1. DC Agent from DC1 will send logon event to Collector agent itself.
Anyone could help me with that, it looks that collector agent on DC1 authorize users, but this authorized users never shows up on DC2 where connector agent is connected to fortigate, and because of that users don't have internet access.
FSSO on DC2 shows currently logged users: 127
At the same time on DC1:
As I said both collector share data between each other so everything should be the same.
Hi Tutek,
the FortiGate is connected to only one collector. The one collector that is active, will do workstation checks and remove users if they are not logged in anymore.
The Collector that is not active, will not do the workstation checks until it is active. If it was active it will have done until it got inactive.
"Not verified" is not directly related as it means that the workstation WAS done BUT failed. The workstation check was unable to verify the user status. Then the user is put to "not verified". That in turn starts the "dead entry timer" (default = 480 minutes).
Hope this clarifies this a bit.
Best regards,
Markus
Please delete.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.