Dear All,
I am setting a test policy that required FSSO AD authentication.
I have done the following successfully
1) LDAP Server created successfully and test was success 2) Single Sign-On Created sucessfully with status connected. 3) FSSO using DC-Agent is installed successfully in my DC
verified from CLI
[FORTIGATE] # diag deb auth fsso server-status [FORTIGATE] # Server Name Connection Status Version ----------- ----------------- ------- FORTINET_AGENT1 connected FSSO 5.0.0241
but when i do the following :
[FORTIGATE] # diag deb auth fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
it seems to me that the FSSO agent is not working successfully
i verified the data of the logon users in FSSO Agent i can retrieve a list of AD users that is logon in my environment.
i double checked all the steps and configuration. everything is as per specified in official guide.
what went wrong here ?
any pointer ?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Dear Ludwig, please consider this case solved (at leased for me). as i have finally discovered the root cause of the problem. it is the directory access mode. the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format. after changing the method to advance, the logons are all displayed successfully in my firewall
hi summercoke,
i use a fortigate 100D active-passiv cluster (Firmware v5.2.5,build701) where i enabled the SSO Authentication via Eventlogging polling (i fallowed this video: http://video.fortinet.com/video/88/setup-fortinet-single-sign-on-fsso-in-polling-mode-fortios-v5-0) and now i have excact the same problem.
at first everything was working fine but then i changed the SSO Agent IP Adress to the DNS-Name of the DC (at the firewall configuration) and so the problem (that no new user information comes to the firewall) occurs.
at the DC the Collector Agent has all logon/logoff events in his logfile.
I did the same diagnose (http://docs.fortinet.com/uploaded/files/1044/fortigate-troubleshooting-40-mr3.pdf) :
ip17-17-FortiGate-100D # diagnose debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- vm322 connected FSSO 5.0.0242
ip17-17-FortiGate-100D # diagnose debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
(not sure if this command is appropriate in this case) ip17-17-FortiGate-100D # diag debug fsso-polling detail fsso daemon is not running
at the DC i found this error in C:\Program Files (x86)\Fortinet\FSAE\CollectorAgent.log: "01/14/2016 16:04:13 [ 5372] error prase file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgentSyncID.dat"
i didn't found a solution for the problem. did you? anyone? :)
Greetings from Austria
Ludwig
from my research and reading thus far .... all advise is against the use of polling method and use FSSO Agent and DC agent installed in every single DC.
i already done that still same problem persists. no reading in user manual or guide have extensive info in troubleshooting using CLI ...
i guessed it is something go to do with NTLM authentication perhaps ... but even I set it in policy that required user identity the problem still persists.
the web pages just stuck, nothing is capture in traffic log, not even blocked message.
Dear Ludwig, please consider this case solved (at leased for me). as i have finally discovered the root cause of the problem. it is the directory access mode. the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format. after changing the method to advance, the logons are all displayed successfully in my firewall
Dear summercoke,
i had the same problem. afer changingthe directory access mode vom basic to advanced i see the usernames on the firewall again :)
thank you for the resolution!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.