- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO keeps disconnected
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO keeps disconnected
Hi everybody I'm currently trying to set up single sign on, and things are more painful than I initially thought. I'm currently running 5.6.3 FortiOS version on Fortigate 201E appliance. My goal is to retrieve user logon from LDAP server so that I can use FSSO feature in my rulebase, allowing users to authenticate their windows session and then be authorized through the firewall according to the policy base.
For this I want to use the polling method, avoiding to install additionnal software on the customer AD server. So first, I have configured my LDAP server "User and Device -> LDAP Server -> create new" which is OK ("Test Connectivity" button says "Successful")
Then I try to configure User and Device -> Single Sign On part, but here is where it fails. I put a name on my SSO configuration, then I reuse the same credentials than those used in LDAP server (I guess this is what needs to be done), and I enable polling I can see the users tree appearing, but when i go back on meny User and Device -> Single Sign On, i see a status "Disconnected" If I make a packet capture, I see the firewall establishing a tcp connection with LDAP server, which succeeds, but then the fortigate send a SMB negotiate protocol Request that is immediatly TCP reseted by the LDAP. My customer asked me which SMB version fortigate used but I didn't find this information. It is several days that I'm breaking my brain on this, so your help would be highly appreciated :) I'm sorry that I couldn't insert more pictures but it seems that only 1 attachment is authorized per post. Thanks per advance Benjamin
Labels:
- Labels:
-
5.6
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dear all
It seems that we found out the solution.
We reproduced the configuration in our lab, and we disabled SMBv1 on the Active Directory server, and obtained the same symptoms.
So it appears that the Fortigate uses SMBv1 for Active Directory polling.
I didn't find the way to force v2 on the 201E, if anyone has this information...
Thanks per advance
Regards
Benjamin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Benjamin,
I've been under the impression that this is now fixed with 5.6.3 GA. I've troubleshooted with these commands:
diagnose debug application fssod -1
dia deb fsso-polling detail 1 dia deb fsso-polling client
diagnose debug authd fsso list
On my SMBv2 enabled (SMBv1 disabled) Windows AD Server it works fine now; status=connected. Also, if possible make a packet trace on the interface where the AD server is, I've spotted some authentications errors on my side..
Cheers,
B.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Boris
Thank you for your feedback.
What is version 5.6.3 GA ? I only know about 5.6.3.
Anyway we finally installed a collector agent and the topology works fine now, CA is much more flexible than simple polling.
Regards
Benjamin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bca wrote:What is version 5.6.3 GA ? I only know about 5.6.3.
Hey there Benjamin,
GA means "General Availability" in other words "5.6.3".
I've been playing a bit with FSSO and towards my readings CA based polling is more scalable indeed. Regards,
Boris
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
i still have this problem
any reason why this error occurred ?
any solution ??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why fortinet is too weak in solving problems ?
there is no usable document about this problem, i'm thinking why ?
really no one has such this problem !!??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gabana,
more complicated issues which require to share some sensitive information/debugs/config parts are unlikely to be solved on forums. Maybe it's the time to open a support ticket? I would definitely suggest to go this way.
Regards,
Fishbone)(
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i think the problem is now clear for me
fortigate uses SMBv1 to poll active directory logon events.
its now prohibited because of security issues.
so the unit keep disconnected.
can i force fortigate unit to use SMBv2 ??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I was having issues with FSSO disconnected after upgrading to FortiOS 5.6.2 and then 5.6.3.
While reviewing the CLI options I realized that *port is required but it wasn't set, so when I entered the command set port 8000 (the port number that you have configured in the collector agent), it connected immediately.
config user fsso
edit YOURFSSO
set port 8000
set server a.b.c.d
set password yourpassword
Hope this helps,
Arismonty
Dominican Republic
Related Posts
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.