Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mahindraholidays
New Contributor

user kickout for customer diag

Hi,

 

In recent days, we are facing an authentication issue for some of the users. We are using NTLM and FSSO-based authentication on our network. Whenever a user is connected to a network computer hostname is showing instead of their username on the Firewall User Monitor. When I checked the logs, I found the following error (user kickout for customer diag). Attached is the error for your reference. So, Please help us to resolve the issue

 

FortiGate 


Best Regards,

MHRIL

 

Authentication Error.PNG

 

 

9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Hello MHRIL,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

Could you please have a look at this KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-cases-for-diagnose-traffictest-command...

 

Tell us if it is helpful. If not, we will continue to look for an answer.

 

Regards,

Anthony-Fortinet Community Team.
Mahindraholidays

Hi Anthony,

 

Thanks for the Support but this KB is not helping us.

 

Regards,

MHRIL

pminarik
Staff
Staff

Can you please check what's the source of the session with the hostname? Check the "method" column in Firewall User Monitor dashboard/widget.

It should not be FSSO, but it's still a possibility. (in which case some reconfiguration of the collector would be desired to avoid computer-account-based sessions)

It's most likely NTLM, in which case I have a couple follow-up questions:

1, How are you doing NTLM? Through FSSO Collector, or directly from the FortiGate?
If directly via FortiGate, you should have something configured in "config user domain-controller". Please check and confirm.

 

2, If doing it from the FortiGate, please also review the LDAP configuration:
config user ldap

edit <relevant LDAP object name>
show

end

=> What are account-key-filter and account-key-processing set to? (if these properties show at all with "show")

[ corrections always welcome ]
Mahindraholidays

Hi pminarik,

 

Thanks for the Support. I have checked everything as per your suggestion and attached some snaps for your reference.

 

1, How are you doing NTLM? Through FSSO Collector, or directly from the FortiGate?

Through FSSO Collector.


2, If doing it from the FortiGate, please also review the LDAP configuration:

We have 2 Setups (DC and DR). Now the issue is occurred on DC Firewall and verified the LDAP config by using the DR Firewall Config and the LDAP config looks fine.

 

Firewall User Monitor.png

 

 

 

 

 

 

 

The 1st three usernames are taken as the hostname (Computer Name) instead of their User ID

The 4th one is working fine, there it is taking as a User ID.

 

Regards,

MHRIL

pminarik

I have to admit that I do not recall if the Collector auto-filters NTLM requests for computer accounts. However, FortiGate does (or at least used to) consider positive NTLM responses from the Collector with no groups as a failure and ignores them. Can you check if the computer-sessions have any group membership attached to them?


This needs to be done with the FSSO-specific CLI command (the attached screenshot will not tell you):

diag debug authd fsso list
Find the relevant client IP, confirm that it still points to a computer account, and check if it has any group membership shown.

 

[ corrections always welcome ]
Mahindraholidays

Hi pminarik,

 

Again thanks for your support. I have executed the given command and I got the below output

DIAG.PNG

 

 

 

 

I have checked that user has a valid group. Whenever the issue occurs for the users that time I manually deauthenticate that user from the Firewall User monitor after that the user is mapped with his group.

Firewall User Monitor.png

 

 

 

Regards,

MHRIL.

pminarik

Maybe I am misremembering and the "user" doesn't actually show in the FSSO table (it's been a while). In any case, I think you'd do best by continuing this in a TAC case. wad debugs and collector's debug logs will have to be reviewed to confirm what's happening. The behaviour might also need to be tested in a different version to check if it has changed.

[ corrections always welcome ]
Mahindraholidays

Hi pminarik,

 

Thanks for the Support. Will check with the TAC team and update the status.

 

Best Regards,

MHRIL.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors