It sounds like you have a policy set up to only allow Internet based on a successful FSSO authenticated user?
We have had mixed results with FSSO...usually it works, but I have mostly tried to avoid anything mission critical relying on it. When it has failed on us (i.e. drops a previously authenticated user as you've described), having them log out of Windows and log back in seemed to do the trick (since our FSSO connector is relying on the AD domain controller agents).
Unfortunately I am not experienced enough with FSSO to offer other troubleshooting suggestions though.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.