Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
clicerioneto
New Contributor

Poll Active Directory issue after installed the Windows Server update KB5004948

Hi,

 

After applied Windows cumulative update KB5004948 in my environment, the Poll Active Directory is appearing the following error:

# diagnose debug fsso-polling detail 1 AD Server Status(err: server can not be accessible):

 

The Fortigate is running with FortiOS 6.2.9.

 

I have opened a ticket with Fortinet support, but I didn't receive yet a reply about the solution to fix this issue.

 

Someone is with this same issue or has a solution to solve it?

27 REPLIES 27
bbilut
New Contributor III

Your DC's and your FSSO server(s) are patched to July level, both?

clicerioneto

I don't use FSSO agent. I only use Poll Active Directory configuration (agentless). The communication is just between DC and Fortigate. My DC's are with the last patch.

bbilut
New Contributor III

Since Microsoft hardened the process in how remote event logs are viewed and your doing agentless config I think you only have two options. Setup FSSO collector agent on a Windows Server with June or higher patch or wait for Fortinet to update FortiOS with a fix for Microsoft's changes. Who knows when that will be.

xsilver_FTNT
Staff
Staff

That's what I and others found out so far...

Those who opened ticket on Fortinet TAC should know already .. so this is a bit of data for others.

 

In short, those Microsoft patches KB5003646 / KB5003638 / KB5003696 .. and later on Cumulative updates (including those temporary patches), broke FSSO polling from FortiGate and FortiAuthenticator as they changed the way how outer apps can access WinSec data through MSFT API. One sided act.

Affected are all patched versions of MSFT servers .. 2019 - KB5003646 / 2016 - KB5003638 / 2012 - KB5003696 / KB5003638.

https://support.microsoft.com/en-us/topic/june-8-2021-kb5003646-os-build-17763-1999-81e2ff5a-0769-4e...

 

FortiAuthenticator was handled in #0725129 bug report

- fixed since 6.3.2 / 6.4.0

- note that those new versions like 6.3.2 should work OK with patched DCs only. Not working with unpatched DCs !

- because that MSFT patch is expected/claimed to stay permanently so more and more DCs is expected to be patched

 

FortiGate local poller was handled in #0725056 bug report

- fixed In  6.2.10 / 6.4.7 / 7.0.2

 

 Win2016 Cumulative update KB5004238 which should now (since release date 2021-0713)  include KB5003638 (according to MSFT Updates catalog change notes)

https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003638

(

Removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for CVE-2020-17049. For more information and steps to enable full protection on domain controller servers, see Managing deployment of Kerberos S4U changes for CVE-2020-17049.

)

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

Tukan

Hi All,

 

I see we are not the only ones stuck with this issue. Since neither 6.2.10 or 6.4.7 are yet released would anybody on the forum here know the release date for 6.2.10 (for 400E)? I need to know what to say to the customer. I don't want to go back to the FSSO agent :(

 

Many Thanks,

 

xsilver_FTNT

Tukan wrote:

I don't want to go back to the FSSO agent :(

 

Why not?

To be honest, for small company with just few users (<20) it might be OK to use direct polling from FGT.

But for anything bigger, serious, or with higher logon rate I would definitely go for standalone Collector Agent.

Because it seems to me better solution as: - it has no issue as it is part of domain member machine

- DNS and data about workstations resolved locally on machine (while you still have option for alternative DNS servers) - has its own resources and do not add extra load on FGT RAM/CPU, so FW can do firewalling and not babysitting/gathering of the user data

- scalable and resilient, while only resiliency on FGT is HA

- various user data gathering methods and logging, not just hardcoded WinSec

- various timers on how to handle logons, like dead entries etc.  where FGT has just polling interval AFAIK

- LDAP cache management

- free of charge

 

If I'd sort SSO solutions by preference:

1. FAC (FortiAuthenticator) + FortiClient SSOMA (but FAC is paid solution + you'd need license for SSOMA, but that's best solution IMHO where you can get most accurate SSO data)

2. FAC SSO .. no SSOMA agents on workstations, but still VERY versatile collector inside FAC

3. standalone Collector Agent .. and methods by preference 1. WinSec+WMA 2. WinSec 3. DCAgents .. rest like NetAPI is legacy.

4. FGT .. and I would opt for RSSO if possible and use FSSO direct polling as last resort.

 

So in short, standalone collector is pretty good and stable solution (free of charge, no licenses, no extra HW/VM). Best solution for no extra money.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

Tukan

Hi XSilver,

 

Problem was that we wanted to reduce costs which have been repeated (and not paid for by client) after we had to upgrade each DC agent on multiple sites to match the Firewall OS version. We have a habit to upgrade FortiOS when we can to latest stable release for security reasons with pretty much all the clients and worrying about update of DCAgent updates have lead to decision to go LDAP agentless. The idea was that only FortiGate Upgrade needs to happen, no more. That is why we decided to use LDAP. The site has more than 20 users but we have had no issues with accuracy of LDAP agent-less until now. I do understand your points, but we will stick to agent-less until we run into requirement it cannot fulfill.

 

To supplement your info this is what I got from TAC today. The info might be handy for some techs here:

 

The releases are planned (!) for:

 

6.4.7 beginning of September

 

7.0.2 beginning of October

 

6.2.10 for the beginning of November

 

Please keep in mind that these are planned only, the releases could be delayed

 

Good luck,

 

 

TecnetRuss

FortiOS 6.4.7 has been released and includes the Polling fix: FortiOS Release Notes | FortiGate / FortiOS 6.4.7 | Fortinet Documentation Library

 

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

 

Note however that there's another Polling issue still listed under Known issues:

 

722234

FSSO AD polling mode connector does not work with LDAPS.

 

Russ

NSE7

xsilver_FTNT

Thanks for reminder about FOS 6.4.7.

List of fixed versions of FortiOS and FortiAuthenticator in my post from 13th August.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

xsilver_FTNT

Tukan wrote:

Problem was that we wanted to reduce costs which have been repeated (and not paid for by client) after we had to upgrade each DC agent on multiple sites to match the Firewall OS version.

I was reading some older posts and that quite common misunderstanding caught my attention.

 

If there is FortiGate (FGT in short) talking via FSSO protocol to some Collector Agent (multiple FGTs and multiple Collectors possible).

Then they are suggested to roughly match the versions.

Which means that if you had FGT version 5 or 6, you should have Collector of version 5 at least (4.3 collectors "died" with FortiOS 4.3 years ago).

If you have nowadays FGT version 6 or freshly released 7.x then you can still use Collector of version 5.

 

Think about it in intentions of interoperability, like if the Collector would be for example RADIUS or LDAP server.

Yes, Collector does evolve over the time as FSSO protocol also evolve.

But FortiOS and Collector agents are independent entities!

 

And so generally speaking ANY FortiOS 5.x  and above can talk to ANY Collector running on 5.x version and there are no problems expected.

 

Yes, FortiOS Release Notes does contain interoperability section. And FSSO version is mentioned there. But that is latest tested version (as FortiOS and FSSO are usually released together). It is also fully supported version. However it does not mean that older versions will not work.

 

What is more important is to keep Collector and agents on the same version !

As those FSSO elements interact more often and carry more info between each other.

Communication towards FGT is more standardized and more or less same for years. The only differences coming in are new features like FortiNAC or FortiEMS tags being delivered to FGT over FSSO.

But if you would not need those features or you run older version of Collector, it will simply not offer just that single particular feature to FGT.

Anything else, and older, is supposed to work as before.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

Top Kudoed Authors