- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- traffic log cannot display user id in FSSO
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
traffic log cannot display user id in FSSO
Dear All,
I am setting a test policy that required FSSO AD authentication.
I have done the following successfully
1) LDAP Server created successfully and test was success 2) Single Sign-On Created sucessfully with status connected. 3) FSSO using DC-Agent is installed successfully in my DC
verified from CLI
[FORTIGATE] # diag deb auth fsso server-status [FORTIGATE] # Server Name Connection Status Version ----------- ----------------- ------- FORTINET_AGENT1 connected FSSO 5.0.0241
but when i do the following :
[FORTIGATE] # diag deb auth fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
it seems to me that the FSSO agent is not working successfully
i verified the data of the logon users in FSSO Agent i can retrieve a list of AD users that is logon in my environment.
i double checked all the steps and configuration. everything is as per specified in official guide.
what went wrong here ?
any pointer ?
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Ludwig, please consider this case solved (at leased for me). as i have finally discovered the root cause of the problem. it is the directory access mode. the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format. after changing the method to advance, the logons are all displayed successfully in my firewall
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi summercoke,
i use a fortigate 100D active-passiv cluster (Firmware v5.2.5,build701) where i enabled the SSO Authentication via Eventlogging polling (i fallowed this video: http://video.fortinet.com/video/88/setup-fortinet-single-sign-on-fsso-in-polling-mode-fortios-v5-0) and now i have excact the same problem.
at first everything was working fine but then i changed the SSO Agent IP Adress to the DNS-Name of the DC (at the firewall configuration) and so the problem (that no new user information comes to the firewall) occurs.
at the DC the Collector Agent has all logon/logoff events in his logfile.
I did the same diagnose (http://docs.fortinet.com/uploaded/files/1044/fortigate-troubleshooting-40-mr3.pdf) :
ip17-17-FortiGate-100D # diagnose debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- vm322 connected FSSO 5.0.0242
ip17-17-FortiGate-100D # diagnose debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
(not sure if this command is appropriate in this case) ip17-17-FortiGate-100D # diag debug fsso-polling detail fsso daemon is not running
at the DC i found this error in C:\Program Files (x86)\Fortinet\FSAE\CollectorAgent.log: "01/14/2016 16:04:13 [ 5372] error prase file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgentSyncID.dat"
i didn't found a solution for the problem. did you? anyone? :)
Greetings from Austria
Ludwig
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from my research and reading thus far .... all advise is against the use of polling method and use FSSO Agent and DC agent installed in every single DC.
i already done that still same problem persists. no reading in user manual or guide have extensive info in troubleshooting using CLI ...
i guessed it is something go to do with NTLM authentication perhaps ... but even I set it in policy that required user identity the problem still persists.
the web pages just stuck, nothing is capture in traffic log, not even blocked message.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Ludwig, please consider this case solved (at leased for me). as i have finally discovered the root cause of the problem. it is the directory access mode. the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format. after changing the method to advance, the logons are all displayed successfully in my firewall
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear summercoke,
i had the same problem. afer changingthe directory access mode vom basic to advanced i see the usernames on the firewall again :)
thank you for the resolution!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How do I avoid using default... 40 Views
- SSH to Vdom Link IP Address 133 Views
- Unable to route public IP into... 46 Views
- which ISDB to use for Office... 73 Views
- Group multiple IPsec tunnels as a... 125 Views
Labels
-
FortiGate
7,123 -
FortiClient
1,405 -
5.2
801 -
5.4
639 -
FortiManager
616 -
FortiAnalyzer
453 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
290 -
FortiMail
280 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
101 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
72 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
38 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
Routing
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
NAT
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
OSPF
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
FortiDeceptor
3 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 882 | |
| 523 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.