Running a pair of 200E's in HA and acting as our only collector for FSSO. We have to remove all our dsagents off our DC's due to a conflict with AuthLite that needs access to the same registry key as dsagent. So I'm going with a combination of Windows Event Log Source polling and FortiClient MSA. Creating event log polling is giving me some trouble. I create a new source pointing to a DC and that works with a service account with correct permissions. It starts reading the logs and working properly.
However as soon as I add another source (a different DC) but using the same credentials that account gets immediately locked out. Before you ask, this is not related to the new Microsoft patch KB5003638 - we are holding off on that. This is truly bizarre. In order for my first source not to stop working I have to unlock the account and delete the new source. My next step is to create a service account related to each DC and see if that works - but that isn't a terrific solution. I'm running 6.0.2 so I know it's a little old. Planning on updating over the weekend, just in case. Did open a TAC case but no joy yet. Any ideas appreciated.
As a follow-up. I just tried my second log source with a second service account and that account got locked within about 5 seconds. I had validated the credentials by logging into a system with them, so they're good. All I can think is that the credentials are getting corrupted inside FAC or in transit to the DC. How would you even begin to troubleshoot that? You won't see those creds in any packet capture!
- credentials are working OK when logged to DC directly
- those same credentials work also OK when used against first DC as Windows Event Log Source
- however if those same credentials are used against second DC, then account get's locked
So I would start on WinSec log to see if there is any reason for account lock.
What are lockout policies in domain. Maybe it is locked due to too many logon events .. just idea, as polling does happen every 10 seconds.
On FortiAuthenticator (FAC hereinafter) check Monitor ..
- what is known structure in Domains ?
- connected status on Windows Event Log Sources and Event Counter ticking ?
- are there SSO Sessions with Source = Eventlog Polling ?
In "Fortinet SSO Methods / SSO / Windows Event Log Sources" I would suggest to have one source with Priority set to Primary, and others as Secondary. Primary one will be used unless it fails to deliver results and then secondary will be used.
If there is Remote Auth. Server / LDAP with "Windows Active Directory Domain Authentication" enabled, then I would check monitor and how many DCs FAC actually see. Because there is domain management daemon inside doing domain discovery and selecting best connected DC to talk to, unless you set SSO /General / "Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP servers" to enabled, to actually restrict domain controllers usage strictly to preconfigured sources.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.