If I got that correctly then:
- credentials are working OK when logged to DC directly
- those same credentials work also OK when used against first DC as Windows Event Log Source
- however if those same credentials are used against second DC, then account get's locked
So I would start on WinSec log to see if there is any reason for account lock.
What are lockout policies in domain. Maybe it is locked due to too many logon events .. just idea, as polling does happen every 10 seconds.
On FortiAuthenticator (FAC hereinafter) check Monitor ..
- what is known structure in Domains ?
- connected status on Windows Event Log Sources and Event Counter ticking ?
- are there SSO Sessions with Source = Eventlog Polling ?
In "Fortinet SSO Methods / SSO / Windows Event Log Sources" I would suggest to have one source with Priority set to Primary, and others as Secondary. Primary one will be used unless it fails to deliver results and then secondary will be used.
If there is Remote Auth. Server / LDAP with "Windows Active Directory Domain Authentication" enabled, then I would check monitor and how many DCs FAC actually see. Because there is domain management daemon inside doing domain discovery and selecting best connected DC to talk to, unless you set SSO /General / "Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP servers" to enabled, to actually restrict domain controllers usage strictly to preconfigured sources.
Tom xSilver, planet Earth, over and out!