Hi, We got some issues with fsso authentication. FSSO Architecture :DC Agents installed on each DC2 collector Agent installed on 2 others servers[/ul]Randomly, some users are not correctly authenticated or with a huge delay.In most case, impacted users doesn't appears on the active collector agent (show logon users) but only on the passive collector agent. And vice versa, but without causing issue, some users appears on the active collector agent but not on the passive collector agent. For impacted users, in the collectors log, i noticed that the logon user is correctly received on each collectors "[RECV_EVENT_FROM_DC] packet_len:43 dcagent_ip:DCAgentIP time:1706521871 data_len:30 data:COMPUTERNAME/DOMAIN/USERNAME ip:0.0.0.0 " But the [UPDATE_LOGON_LIST] is not always performed "[UPDATE_LOGON_LIST] action:add_new_entry workstation:COMPUTERNAME ip:X.X.X.X::: user:DOMAIN\USERNAME" Does that mean that the collector agent fails to resolve the computername in IP Address ? We working on this with our provider. We have already added donotresolve registry key on the DC. Looks better then but doesn't resolve all issues. Thank you for your help.
in DCAgent mode every DC which can be possibly elected by Workstation as logonserver have to have DCAgent installed on.
If there is more then one Collector Agent, then all DCAgents has to be set to report to all Collector Agents.
Collector Agents are independent instances, creatine their own idea about logged on users (that's why step 2 is important). And the do NOT share any info in between each other. Therefore it is not any sort of sync or cluster. And as so then there is truly not a single passive or active unit.
FortiGate connector can have more then one Collector set. And for resiliency it is good to have 2 Collector Agents (at least, but two is sufficient minimum). However those then form a circular list. When first becomes unreachable, then second is used, if the last from the list becomes unreachable then first is used again. FortiGate is connected to a single Collector Agent at a time. If previously unreachable becomes reachable again, then FortiGates will keep currently used one, and there is nothing like fall back to previously active unit as you might expect in cluster with high/low priority units. Because as said there is no such thing like cluster in between Collector Agents. They are independent.
DCAgent can do DNS resolution, and does so by default, but it might slow down processing if that DNS is slow to response.
Collector Agent can also make DNS resolutions. By default via DNS servers set in underlying OS, or via set alternative DNS servers in Advanced settings. So if your DC DNS settings point to 3rd party like 22.214.171.124 then you can use that Alt.DNS to point Collector to your Domain DNS servers.
Perfectly working DNS, swift to respond and with accurate DNS records for workstations, with all workstation IP addresses (if there is more than one NIC in workstations) is CRICIAL for perfectly working FSSO.
Make sure all DCAgents report to both/all Collector Agents and check DNS setup.
Switch Collector Agent's log to Debug level and some 50MB size to learn more about delays from log.
And if you get stuck then open technical ticket on Fortinet support site. As customer, or through the partner.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.