Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
summercoke
New Contributor II

traffic log cannot display user id in FSSO

Dear All,

I am setting a test policy that required FSSO AD authentication.

I have done the following successfully

1) LDAP Server created successfully and test was success 2) Single Sign-On Created sucessfully with status connected. 3) FSSO using DC-Agent is installed successfully in my DC

verified from CLI

[FORTIGATE] # diag deb auth fsso server-status [FORTIGATE] # Server Name Connection Status Version ----------- ----------------- ------- FORTINET_AGENT1 connected FSSO 5.0.0241

but when i do the following :

[FORTIGATE] # diag deb auth fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----

it seems to me that the FSSO agent is not working successfully

i verified the data of the logon users in FSSO Agent i can retrieve a list of AD users that is logon in my environment.

i double checked all the steps and configuration. everything is as per specified in official guide.

what went wrong here ?

any pointer ?

1 Solution
summercoke
New Contributor II

Dear Ludwig,  please consider this case solved (at leased for me).  as i have finally discovered the root cause of the problem.  it is the directory access mode.  the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format.  after changing the method to advance, the logons are all displayed successfully in my firewall

View solution in original post

4 REPLIES 4
it9
New Contributor

hi summercoke, 

 

i use a fortigate 100D active-passiv cluster (Firmware v5.2.5,build701) where i enabled the SSO Authentication via Eventlogging polling (i fallowed this video: http://video.fortinet.com/video/88/setup-fortinet-single-sign-on-fsso-in-polling-mode-fortios-v5-0) and now i have excact the same problem.

 

at first everything was working fine but then i changed the SSO Agent IP Adress to the DNS-Name of the DC (at the firewall configuration) and so the problem (that no new user information comes to the firewall) occurs. 

at the DC the Collector Agent has all logon/logoff events in his logfile. 

 

I did the same diagnose (http://docs.fortinet.com/uploaded/files/1044/fortigate-troubleshooting-40-mr3.pdf) :

 

ip17-17-FortiGate-100D # diagnose debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- vm322 connected FSSO 5.0.0242

 

ip17-17-FortiGate-100D # diagnose debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----

 

 

(not sure if this command is appropriate in this case) ip17-17-FortiGate-100D # diag debug fsso-polling detail fsso daemon is not running

 

 

at the DC i found this error in C:\Program Files (x86)\Fortinet\FSAE\CollectorAgent.log: "01/14/2016 16:04:13 [ 5372] error prase file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgentSyncID.dat"

 

i didn't found a solution for the problem. did you? anyone? :)

 

Greetings from Austria

Ludwig

summercoke
New Contributor II

from my research and reading thus far .... all advise is against the use of polling method and use FSSO Agent and DC agent installed in every single DC. 

 

i already done that still same problem persists. no reading in user manual or guide have extensive info in troubleshooting using CLI ... 

 

i guessed it is something go to do with NTLM authentication perhaps ... but even I set it in policy that required user identity the problem still persists. 

 

the web pages just stuck, nothing is capture in traffic log, not even blocked message. 

summercoke
New Contributor II

Dear Ludwig,  please consider this case solved (at leased for me).  as i have finally discovered the root cause of the problem.  it is the directory access mode.  the default setting is "basic" which is in [domain]\[username] format however my firewall 5.2.4 firmware the directory access mode is the advance mode by default which is in this format CN=Users,DC=[DOMAIN_NAME] format.  after changing the method to advance, the logons are all displayed successfully in my firewall

it9
New Contributor

Dear summercoke, 

 

i had the same problem. afer changingthe directory access mode vom basic to advanced i see the usernames on the firewall again :)

 

thank you for the resolution!

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors