In recent days, we are facing an authentication issue for some of the users. We are using NTLM and FSSO-based authentication on our network. Whenever a user is connected to a network computer hostname is showing instead of their username on the Firewall User Monitor. When I checked the logs, I found the following error (user kickout for customer diag). Attached is the error for your reference. So, Please help us to resolve the issue
Can you please check what's the source of the session with the hostname? Check the "method" column in Firewall User Monitor dashboard/widget.
It should not be FSSO, but it's still a possibility. (in which case some reconfiguration of the collector would be desired to avoid computer-account-based sessions)
It's most likely NTLM, in which case I have a couple follow-up questions:
1, How are you doing NTLM? Through FSSO Collector, or directly from the FortiGate? If directly via FortiGate, you should have something configured in "config user domain-controller". Please check and confirm.
2, If doing it from the FortiGate, please also review the LDAP configuration: config user ldap
edit <relevant LDAP object name> show
=> What are account-key-filter and account-key-processing set to? (if these properties show at all with "show")
I have to admit that I do not recall if the Collector auto-filters NTLM requests for computer accounts. However, FortiGate does (or at least used to) consider positive NTLM responses from the Collector with no groups as a failure and ignores them. Can you check if the computer-sessions have any group membership attached to them?
This needs to be done with the FSSO-specific CLI command (the attached screenshot will not tell you):
diag debug authd fsso list Find the relevant client IP, confirm that it still points to a computer account, and check if it has any group membership shown.
Again thanks for your support. I have executed the given command and I got the below output
I have checked that user has a valid group. Whenever the issue occurs for the users that time I manually deauthenticate that user from the Firewall User monitor after that the user is mapped with his group.
Maybe I am misremembering and the "user" doesn't actually show in the FSSO table (it's been a while). In any case, I think you'd do best by continuing this in a TAC case. wad debugs and collector's debug logs will have to be reviewed to confirm what's happening. The behaviour might also need to be tested in a different version to check if it has changed.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.