Recommended steps: ------------------ A. Preparation A.1. What is used FSSO/FSAE version (Collector Agents, DCAgents) A.2. A copy of Collector's exported config, or use 'regedit' and export following registry key: 64bit-OS [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE] A.3. Export of auth registry from all DCs (if DCAgent mode is used) Auth: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] (should result in "auth0" = "dcagent") [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] (should result in "auth0" = "dcagent") A.4. Network Topology information for polling modes (incl: numbers of DCs) A.5. FortiGate’s current config and debug.log files Debug.log is reachable in GUI : System > Config > Advanced > Download Debug Log in Cluster it's reachable for every cluster member under GUI: System > Config > HA > right side click the arrow-on-page icon "Download Debug Log". A.6. Switch the Collector agent’s logging level to the Debug level and switch the log size to 50MB, on all Collector agents. B. When the issue occurs, collect the following information: B.1. copy of log file from all Collector agents B.2. Workstation’s output under affected user account ipconfig /all echo %logonserver% echo %username% net use time /T date /T B.3. on FortiGate collect output of those commands (log console output to text file, SSH connection preferred over direct console for its speed): get system stat diag debug reset diag debug en diag debug authd fsso server-status diag debug auth fsso list diag fire auth list diag wad user list diag sys session filter clear diag sys session filter dst 206.190.36.45 diag sys session clear diag debug flow filter clear diag debug flow filter addr 206.190.36.45 diag debug flow show fun en diag debug flow show con en diag debug flow show ipr en diag debug flow trace start 50 diag debug enable # On the workstation open a browser and go to http://206.190.36.45 , wait for an issue reoccurence # mention more info about application/browser which was used to access the URL (at least name like FireFox/MSIE, if possible) # after issue present and flow stops, run bellow commands to terminate debug diag debug reset diag sys session filter clear diag debug flow filter clear B.4 take a screenshot or note what IP was printed in bold (active collector) in "FSSO Agent IP/Name" column on GUI / User & Device / Authentication / Single Sign-On