HA wrote:

Hello,

 

In the screnshot Step 4 that you post, change the following value:

1. Uncheck 'Enabled IP Based authentication'

2. Default Authentication Method: Choose NTLM.

 

Hi HA,

I tried what you instructed me to do but I got an error "Invalid Input Value". Any guess?

Any feedback is much appreciated again. Thanks

Fullmoon wrote:

HA wrote:

Hello,

 

In the screnshot Step 4 that you post, change the following value:

1. Uncheck 'Enabled IP Based authentication'

2. Default Authentication Method: Choose NTLM.

 

Hi HA,

 

I tried what you instructed me to do but I got an error "Invalid Input Value". Any guess?

 

Any feedback is much appreciated again. Thanks

Dinesh wrote:

HI,

First check the connectivity with server and FGT. In some cases, connection will not get completely established with server.

 

Run the below command and check whether the status is showing "connected" or "connecting".

 

 diagnose debug fsso-polling detail

 

If it is showing correctly, then check it was showing all the selected usergroup.

Also make sure the username entered on FSSO has "domain admin"  privileges so that it can read the event logs.

 

Regards,

 

Dinesh R

Having the same issue.

DC1FWP010 # diagnose debug fsso-polling detail
AD Server Status:
ID=1, name(10.221.42.5),ip=10.221.42.5,source(security),users(0)
port=auto username=prod\xxxxx
read log offset=502242897, latest logon timestamp: Wed Jan 20 11:33:47 2016

polling frequency: every 10 second(s) success(122), fail(1)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
most recent connection status: connected

Group Filter:
CN=DL FNC - Gebruikers - InternetToegang - Ongefilterd,OU=Functionele Groep,OU=sHL Groepen,DC=prod,DC=shl,DC=local+CN=DL FNC - Gebruikers - InternetToegang - Standaard,OU=Functionele Groep,OU=sHL Groepen,DC=prod,DC=shl,DC=local

DC1FWP010 #

But when trying to set authentication to NTLM:

DC1FWP010 (1) # set active-auth-method ntlm
Cannot set active-auth-method to NTLM since no FSSO agent is configured.
node_check_object fail! for active-auth-method ntlm

value parse error before 'ntlm'
Command fail. Return code -651

But we do have a local FSSO agent

DC1FWP010 # config user fsso

DC1FWP010 (fsso) # show
config user fsso
    edit "Local FSSO Agent"
        set server "127.0.0.1"
        set ldap-server "LDAP"
    next
end

-edit-

Apparently, our DC's dont collect the login evens (only failed login events), because wouldnt be able to go back past 3 days if we need to search for something in the event logs...

Need to figure out something else =/

I changed it, but still no luck..

DC1FWP010 # diagnose debug fsso-polling detail
AD Server Status:
ID=1, name(10.221.42.5),ip=10.221.42.5,source(security),users(0)
port=auto username=prod\xxx (user with domain admin)
read log offset=502415081, latest logon timestamp: Fri Jan 22 13:05:53 2016

polling frequency: every 10 second(s) success(16198), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
most recent connection status: connected

Group Filter:
CN=DL FNC - Gebruikers - InternetToegang - Ongefilterd,OU=Functionele Groep,OU=sHL Groepen,DC=prod,DC=shl,DC=local+CN=DL FNC - Gebruikers - InternetToegang - Standaard,OU=Functionele Groep,OU=sHL Groepen,DC=prod,DC=shl,DC=local

It doesnt see any users. Does the polling access the DC's event log and search for logon events?

Hello,

my simple task: Explicit proxy with FSSO Pooling

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36382

https://www.youtube.com/watch?v=WopByyq1rTI

My output:

FG100D # diagnose debug fsso-polling detail

AD Server Status:

ID=1, name(192.168.X.X),ip=192.168.X.X,source(security),users(27)

port=auto username=Administrator

read log offset=3056387, latest logon timestamp: Tue Jan 26 12:00:25 2016

polling frequency: every 10 second(s) success(144996), fail(0)

LDAP query: success(10453), fail(0)

LDAP max group query period(seconds): 1

Number of users logged in:

...

DC Looks OK.

I was configured the explicit policy:

config firewall explicit-proxy-policy     edit 1         set proxy web         set dstintf "port1"         set srcaddr "TEST-PC"         set dstaddr "all"         set service "webproxy"         set action accept         set identity-based enable         set ip-based enable         set sso-auth-method fsso         config identity-based-policy             edit 1                 set schedule "always"                 set logtraffic all                 set utm-status enable                 set groups "SSO_Domain_Users"                 set av-profile "Default-Proxy"                 set webfilter-profile "default"                 set ips-sensor "default"                 set application-list "default"                 set casi-profile "default"                 set profile-protocol-options "default"                 set ssl-ssh-profile "certificate-inspection"             next         end

And when I want to enable NTLM I got the same error as you...

FG100D3G15817044 (2) # set active-auth-method ntlm

Cannot set active-auth-method to NTLM since no FSSO agent is configured.

node_check_object fail! for active-auth-method ntlm

value parse error before 'ntlm'

Command fail. Return code -651

One of the SSO [strike]requests[/strike] requirements is that your DNS server has correct A records for every single workstation on which users log on. Please run this command in the CLI and see if there are any users shown and if their reported IP addresses match their real IP addresses:

diagnose debug authd fsso list

Also, turn on logging of all sessions on this explicit proxy policy and see if it actually matches any traffic.