Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Weird Behavior Adding Windows Event Log Sources

Running a pair of 200E's in HA and acting as our only collector for FSSO.  We have to remove all our dsagents off our DC's due to a conflict with AuthLite that needs access to the same registry key as dsagent.  So I'm going with a combination of Windows Event Log Source polling and FortiClient MSA.  Creating event log polling is giving me some trouble.  I create a new source pointing to a DC and that works with a service account with correct permissions.  It starts reading the logs and working properly.


However as soon as I add another source (a different DC) but using the same credentials that account gets immediately locked out.  Before you ask, this is not related to the new Microsoft patch  KB5003638 - we are holding off on that.  This is truly bizarre.  In order for my first source not to stop working I have to unlock the account and delete the new source.  My next step is to create a service account related to each DC and see if that works - but that isn't a terrific solution.  I'm running 6.0.2 so I know it's a little old.  Planning on updating over the weekend, just in case.  Did open a TAC case but no joy yet.  Any ideas appreciated.

New Contributor III

As a follow-up.  I just tried my second log source with a second service account and that account got locked within about 5 seconds.  I had validated the credentials by logging into a system with them, so they're good.  All I can think is that the credentials are getting corrupted inside FAC or in transit to the DC.  How would you even begin to troubleshoot that?  You won't see those creds in any packet capture!  


If I got that correctly then:

- credentials are working OK when logged to DC directly

- those same credentials work also OK when used against first DC as Windows Event Log Source

- however if those same credentials are used against second DC, then account get's locked


So I would start on WinSec log to see if there is any reason for account lock.

What are lockout policies in domain. Maybe it is locked due to too many logon events .. just idea, as polling does happen every 10 seconds.


On FortiAuthenticator (FAC hereinafter) check Monitor .. - what is known structure in Domains ? - connected status on Windows Event Log Sources and Event Counter ticking ?

- are there SSO Sessions with Source = Eventlog Polling ?


In "Fortinet SSO Methods / SSO / Windows Event Log Sources" I would suggest to have one source with Priority set to Primary, and others as Secondary. Primary one will be used unless it fails to deliver results and then secondary will be used.

If there is Remote Auth. Server / LDAP with "Windows Active Directory Domain Authentication" enabled, then I would check monitor and how many DCs FAC actually see. Because there is domain management daemon inside doing domain discovery and selecting best connected DC to talk to, unless you set SSO /General / "Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP servers" to enabled, to actually restrict domain controllers usage strictly to preconfigured sources.


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Thanks for your reply.  Working with TAC we concluded that the FAC likely had some sort of db issues and that a firmware update might correct the problem.  It did fix it and it's working correctly now.  


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors