Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RetchedOne
New Contributor

Poll Active Directory Server

Is anyone using " Poll Active Directory Server" with any luck? I' m trying to NOT use the FSSO agent... It is my understanding that i DO NOT need the FSSO agent installed on the DC if I choose the " Poll Active Directory Server" (new 5.0 setting) So far I' m getting no where... And neither is tech support... I set up a LDAP connection (works) Setup a " Single Sign-On" connection and chose " Pol Active Directory Server" I can select the AD group, make rules, and get nothing... no access... not denied, just no access... Log inst much help, neither is debug.
FWF 60c - 40 of the suckers - 5.0 build 128 300c - 4 units (2 HA pairs) - 5.0 build 128 FortiManager FortiClients
FWF 60c - 40 of the suckers - 5.0 build 128 300c - 4 units (2 HA pairs) - 5.0 build 128 FortiManager FortiClients
10 REPLIES 10
stephen_ren_FTNT

I just tried FSSO polling mode on V5.0.1,it works fine.Have you created the user group and select the group members?And you should create the identity based policy and select the user group in the policy.Pls check your config,especially the policy config.Thanks.
ZeroInterrupt
New Contributor

Nope.. does not work for me. Fortinet tech support is having a hell of a time with it as well. I can get the groups in and all the and all of the necessary config, but all users show up as guest. The LDAP tests ok from the ' edit LDAP server' , but when i test the authentication via the command line ' diagnose test authserver ldap <LDAP server_name> <username> <password>' and it fails...
ZeroInterrupt
New Contributor

Update: Just fixed the command line fail issue, but all users still show up as guest. I am going to bounce the firewall tonight to see if that fixes anything.
rwpatterson
Valued Contributor III

For the work stations, do you use DHCP or are the addresses hard coded?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Antonio_Milanese

Hello zerointerrupt , in my understanding/knowledge AD polling has to poll security event log to retrieve workstation address so LDAP binding it' s only half of the equation address i' ve some questions I would ask: - which version of Windows version ? - have you set any event logs access restrictions via group policies? - antivirus/hips in place? - restrictions on log onto DC ? - multiple DC/domains/forests ? just to some hypotheses... best regards, Antonio
msaraiva
New Contributor

It seems that the internal collector does not support NTLM authentication (for instance, computers not joined to domain and non-windows workstations). If you take a look at: # config system fsso-polling # get status : enable listening-port : 8000 authentication : disable There' s no option to enable NTLM authentication like there' s in the Windows based collector. I' ve done a packet trace and the Fortigate does not send a NTLM_CHALLENGE response to the client, it justs reset the connection. Take a look at the traces i' ve attached. fgt_ntlm_broken - Using internal Fortigate Collector fgt_ntlm_ok - Using Windows based Fortigate Collector When using the Windows collector, Fortigate sends a NTLM_CHALLENGE to the user' s browser. This does not happen when the internal Collector is used.
msaraiva
New Contributor

attach fgt_ntlm_ok.jpg
msaraiva
New Contributor

attach fgt_ntlm_broken.jpg
fropert_FTNT
Staff
Staff

@msaraiva NTLM support is actually a new feature request. This has been requested to be implemented in a future release.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors