Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff

Created on ‎04-12-2023 12:49 AM

Article Id 252126

Troubleshooting Tip: FSSO agentless polling on AD server failing due to NT_STATUS_NETLOGON_NOT_STARTED error

Description

 

This article describes how the FSSO agentless polling on the AD server failed due to NT_STATUS_NETLOGON_NOT_STARTED error.

 

Scope

 

FortiGate FSSO agentless polling on the AD server.

 

Solution

 

When troubleshooting on FSSO agentless polling mode issue, the smbcd debug logs would show such connect error message :

 

smbcd: rpccli_eventlog_open:177 /code/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-177: connect err(NT_STATUS_NETLOGON_NOT_STARTED)

 

This problem can also be detected via packet capture from AD server response packet during SMB polling request :

 

Frame 63: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits)
Ethernet II, Src: VMware_a6:xx:xx (00:50:56:xx:xx:xx), Dst: Fortinet_09:xx:xx
Internet Protocol Version 4, Src: 172.16.1.8, Dst: 172.16.1.1
Transmission Control Protocol, Src Port: 445, Dst Port: 3903, Seq: 706, Ack: 1033, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 1
NT Status: STATUS_NETLOGON_NOT_STARTED (0xc0000192)
Command: Session Setup (1)
Credits granted: 1
Flags: 0x00000011, Response, Priority
Chain Offset: 0x00000000
Message ID: 2
Process Id: 0x00000000
Tree Id: 0x00000000
Session Id: 0x00022448b8000019 Acct:Test Domain:SAMBA Host:FGT-FW
Signature: 00000000000000000000000000000000
[Response to: 62]
[Time from request: 0.001637000 seconds]
Session Setup Response (0x01)
[Preauth Hash: cfbb393f465298102d4290d789b3022757e482d4b62687d51f700427b362d9e9806f0170…]
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Session Flags: 0x0000
.... .... .... ...0 = Guest: False
.... .... .... ..0. = Null: False
.... .... .... .0.. = Encrypt: False
Blob Offset: 0x00000000
Blob Length: 0
Security Blob: <MISSING>: NO DATA

 

Check on the target Windows AD server and make sure the NETLOGON service is enabled.

Without the netlogon service enabled, the AD server cannot operate on the network, because it cannot log onto the network using the logon credentials.

791
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.