Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daveteoh
New Contributor

Single sign-on and LDAP Server Problem

Dear all Gurus, I need your help urgently. I' m currently doing testing on single sign-on with the company domain Active Directory. what I did: step 1) installed FSSO DC agent in Domain AD server step 2) configured a LDAP server to point to the AD server( User & Devices-> Authentication-> Ldap Server) step 3) Create a Single Sign-On by entering the Server IP and password. ( User & Devices-> Authentication-> Single Sign-On) The mistake when i creating single sign-on is that I point the remote ldap server to the LDAP server i created in Step 2. The problem comes after this, when i access to the Single sign-on page, it just keep loading and show nothing, even after i restart the device. I tried to delete the ldap server created but the delete option is grey-out. I just realiaze that I dont have to configure the LDAP Server settings to let the single sign-on work with the DC agent. I wanted to reconfigure the single sign-on but I cant do it since it just keep loading without showing anything. anyone here experience this before can help me? really appreaciate it. Regards, Dave Teoh
4 REPLIES 4
Warren_Olson_FTNT

Hey Dave, Which " Single sign-on page" are you referring to? If you are truly using SSO you won' t be prompted for any manual authentication, it may be you' re in the middle of configuring firewall authentication instead of SSO?
daveteoh

Hi Warren, the single sign-on page i means is the fortigate GUI ( User & Devices-> Authentication-> Single Sign-On). it keep loading without showing anything. any clues how to resolve this? or is there any way i can delete the single sign-on settings and LDAP servers settings thru CLI?
billp
Contributor

Dave, It sounds like you are almost there. In general, if the Fortigate doesn' t allow you to delete an option, it means that it' s referenced somewhere else in the config. If you tried to delete the LDAP server from the LDAP menu, it would be grayed out because you' ve referenced it in the Single Sign-On section. You have to keep going back until you reach the original reference to the object. In your case, I' m guessing it could be tied to an FSSO User group. If you haven' t already downloaded it, you might want to look at the Fortinet cookbook: http://docs.fortinet.com/d/fortigate-the-fortigate-cookbook-5.0.5 Page 267 has a section called, " Providing Single Sign-On for a Windows AD Network with Fortigate." That should give you the general procedure and help with the troubleshooting. And, you' re right. You don' t need the LDAP server referenced in the Single Sign-On page. That' s just for organizations that have an LDAP server separate from their AD server.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
daveteoh
New Contributor

Thanks Bill and Warren, I manage to resolve this by removing the ldap server and singe sign-on profile. I' m now able to FSSO with DC agent.!
Labels
Top Kudoed Authors