Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SFW
New Contributor

Created on ‎08-13-2025 05:32 AM

user authentication in agentless

Hi Friends,

I need some help and I hope you all will assist me.

I have a problem with a FortiGate firewall. I’m using FSSO (Fortinet Single Sign-On) in agentless mode to communicate with the Active Directory (AD) server for user authentication.

The AD server is located at the data center (DC), and the users are located at branch offices.

Note:

  • LDAP connection status is up

  • IPsec tunnel is up

  • SD-WAN is also properly established

But the problem is:
Users are not being authenticated properly. Sometimes they get authenticated, but within seconds or minutes, they become unauthenticated again.

I have already checked the AD connection from the branch firewall, and communication is working (SYN-ACK is happening), but still, there’s a problem with authentication.

To resolve this temporarily, I have to restart the user’s system repeatedly.
Due to company policies, I cannot use agent-based authentication.

Please help me with a solution.

 
 

Screenshot 2025-08-13 153048.png

Labels:
128
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎08-13-2025 10:00 AM

Hi SFW

It is not to share bad news but I had no good experience with Agentless FSSO. I don't know if it worked well for someone but for me it is almost useless.

The good news is that there is a method called "Collector Agent Mode" that works very well without the need to install anything on the DC.

It just needs to configure a service account with some privilege:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-a-Fortinet-Single-Sign-On-Agen...

AEK
AEK
109
SFW
New Contributor

Created on ‎09-08-2025 11:37 PM

Dear Fortinet team,
Can you please suggest the solution on the above Issue 
looking forward your Response 

Thanks 

26
0 Kudos
Debbie_FTNT
Staff & Editor
Staff & Editor
In response to SFW

Created on ‎09-09-2025 12:29 AM

Dear SFW,

as AEK already mentioned above, the agentless setup with FortiGate polling can be finicky and is rather limited in functionality, so it never work as you are looking to set it up.

I'm uncertain why users would be removed after a moment - based on the timestamp, it seems to be 60 seconds. Are users always removed after 60 seconds? If yes, it may be some  kind of timeout on FortiGate - did you have a look at a configuration backup of your FortiGate to see if any specific timeouts are defined?

 

Aside from that, you mentioned that "Due to company policies, I cannot use agent-based authentication."

-> does this mean you cannot install agents on domain controllers, or agents in general?

-> because if the issue is with installation to domain controllers, as AEK already mentioned that is in fact not necessary; you can install a Collector Agent on ANY domain-joined host, though it will need permissions similar to FortiGate to access the event logs on domain controllers and read the login events.

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
17
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.