I have problem configuring FSSo with two domain controllers DC1 and DC2, DNS priority for all clients is set DC1 then DC2 so all users authenticate on DC1, I have installed collector agents with DC agents on DC1 and DC2, but agent on DC1 is configured to send its data to DC2. On both Collector agents both DC are checked to be monitored for user login events.
Fortigate is connected to DC2 as "Primary FSSO agent" - and it list AD groups correctly. The problem is almost all logins on DC2 are listed as "Not verified" - I don't know how to fix this.
But what is the problem: on DC1 almost all domain users in collector agent have status OK, at the same time on the second collector agent od DC2 the same users have status "Not verified". Both DC are in the same subnet and managed by the same ipv4 fortigate firewall policy.
if collector agent (with configuration user to retrieve logs) is installed on DC2, on DC1 is only installed DC agent (during installation here there is no account configuration responsible for retrieve logs) so what user is used on DC2 to collect login events?
Fortinet Single Sign On Agent Service is suggested to run with the privileges of a domain admin account. It will assure that whatever mode or feature is selected it will have enough permissions to complete its own task, If you do not want to use domain admin account you follow below link
Anyone could help me with that, it looks that collector agent on DC1 authorize users, but this authorized users never shows up on DC2 where connector agent is connected to fortigate, and because of that users don't have internet access.
the FortiGate is connected to only one collector. The one collector that is active, will do workstation checks and remove users if they are not logged in anymore.
The Collector that is not active, will not do the workstation checks until it is active. If it was active it will have done until it got inactive.
"Not verified" is not directly related as it means that the workstation WAS done BUT failed. The workstation check was unable to verify the user status. Then the user is put to "not verified". That in turn starts the "dead entry timer" (default = 480 minutes).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.