Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mahindraholidays
New Contributor

Created on ‎06-25-2023 03:11 AM

user kickout for customer diag

Hi,

 

In recent days, we are facing an authentication issue for some of the users. We are using NTLM and FSSO-based authentication on our network. Whenever a user is connected to a network computer hostname is showing instead of their username on the Firewall User Monitor. When I checked the logs, I found the following error (user kickout for customer diag). Attached is the error for your reference. So, Please help us to resolve the issue

 

FortiGate 


Best Regards,

MHRIL

 

Authentication Error.PNG

 

 

Labels:
840
0 Kudos
9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Created on ‎06-27-2023 09:05 PM

Hello MHRIL,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
797
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎06-29-2023 01:41 AM

Hello,

 

Could you please have a look at this KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-cases-for-diagnose-traffictest-command...

 

Tell us if it is helpful. If not, we will continue to look for an answer.

 

Regards,

Anthony-Fortinet Community Team.
772
0 Kudos
Mahindraholidays
New Contributor
In response to Anthony_E

Created on ‎06-29-2023 02:09 AM

Hi Anthony,

 

Thanks for the Support but this KB is not helping us.

 

Regards,

MHRIL

764
0 Kudos
pminarik
Staff
Staff

Created on ‎06-29-2023 01:51 AM Edited on ‎06-29-2023 01:51 AM

Can you please check what's the source of the session with the hostname? Check the "method" column in Firewall User Monitor dashboard/widget.

It should not be FSSO, but it's still a possibility. (in which case some reconfiguration of the collector would be desired to avoid computer-account-based sessions)

It's most likely NTLM, in which case I have a couple follow-up questions:

1, How are you doing NTLM? Through FSSO Collector, or directly from the FortiGate?
If directly via FortiGate, you should have something configured in "config user domain-controller". Please check and confirm.

 

2, If doing it from the FortiGate, please also review the LDAP configuration:
config user ldap

edit <relevant LDAP object name>
show

end

=> What are account-key-filter and account-key-processing set to? (if these properties show at all with "show")

[ corrections always welcome ]
768
Mahindraholidays
New Contributor
In response to pminarik

Created on ‎06-29-2023 02:30 AM

Hi pminarik,

 

Thanks for the Support. I have checked everything as per your suggestion and attached some snaps for your reference.

 

1, How are you doing NTLM? Through FSSO Collector, or directly from the FortiGate?

Through FSSO Collector.


2, If doing it from the FortiGate, please also review the LDAP configuration:

We have 2 Setups (DC and DR). Now the issue is occurred on DC Firewall and verified the LDAP config by using the DR Firewall Config and the LDAP config looks fine.

 

Firewall User Monitor.png

 

 

 

 

 

 

 

The 1st three usernames are taken as the hostname (Computer Name) instead of their User ID

The 4th one is working fine, there it is taking as a User ID.

 

Regards,

MHRIL

759
0 Kudos
pminarik
Staff
Staff
In response to Mahindraholidays

Created on ‎06-29-2023 02:42 AM

I have to admit that I do not recall if the Collector auto-filters NTLM requests for computer accounts. However, FortiGate does (or at least used to) consider positive NTLM responses from the Collector with no groups as a failure and ignores them. Can you check if the computer-sessions have any group membership attached to them?


This needs to be done with the FSSO-specific CLI command (the attached screenshot will not tell you):

diag debug authd fsso list
Find the relevant client IP, confirm that it still points to a computer account, and check if it has any group membership shown.

 

[ corrections always welcome ]
755
0 Kudos
Mahindraholidays
New Contributor
In response to pminarik

Created on ‎06-29-2023 03:14 AM

Hi pminarik,

 

Again thanks for your support. I have executed the given command and I got the below output

DIAG.PNG

 

 

 

 

I have checked that user has a valid group. Whenever the issue occurs for the users that time I manually deauthenticate that user from the Firewall User monitor after that the user is mapped with his group.

Firewall User Monitor.png

 

 

 

Regards,

MHRIL.

750
0 Kudos
pminarik
Staff
Staff
In response to Mahindraholidays

Created on ‎06-29-2023 03:48 AM

Maybe I am misremembering and the "user" doesn't actually show in the FSSO table (it's been a while). In any case, I think you'd do best by continuing this in a TAC case. wad debugs and collector's debug logs will have to be reviewed to confirm what's happening. The behaviour might also need to be tested in a different version to check if it has changed.

[ corrections always welcome ]
743
0 Kudos
Mahindraholidays
New Contributor
In response to pminarik

Created on ‎06-29-2023 04:45 AM

Hi pminarik,

 

Thanks for the Support. Will check with the TAC team and update the status.

 

Best Regards,

MHRIL.

732
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.