Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rig
New Contributor

SSO issues/problems

Hi all

I am new to Fortigate (this is also my 1st post to the forum) and attempted to setup FSSO. I followed the steps as described in this link (http://cookbook.fortinet.com/providing-single-sign-using-ldap-fsso-agent-advanced-mode-expert/), hiowever after completing all the steps - I can see the logins from my users in the FSSO agent installed on the DC, however I am seeing nothing on Fortigate. There is no user entry under "User & Device > Monitor > Firewall" - and from CLI I get the below:

# diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
Did I miss something or do something wrong? Any advice welcome.

1 Solution
xsilver_FTNT
Staff
Staff

As you set up standalone Collector Agent on DC (if you followed cookbook receipt), then you do not need Local FSSO poller on FortiGate .. remove it from 'config user fsso-polling'.

Make sure that your fsso 'config user adgrp' records are paired to  right Collector "TCMVPN-FSSO" and not to local poller.

 

Then check users in Collector / Show Logon Users and their group membership. It seems to me probable that they are not matching group filters set and therefore they are not reported to FortiGate. Check Group Filters on Collector and on FortiGate. If you run in advanced mode then filters should be in LDAP format like "CN=group,DC=example,DC=com". Also make sure that you have selected LDAP objects which are actually groups (they must have LDAP ObjectClass=group) and not users or anything else!

Tom xSilver, planet Earth, over and out!

View solution in original post

11 REPLIES 11
Armando_Gomez_Barrio

Hello, you managed to solve this problem

I have a problem with the FSSO, your same problem, I would appreciate any support

Best Regrads

Armando Gómez
imanet
New Contributor

Hi if you want to config fsso in polling mode first you just need an active directory user which member of  "domain users" and "event log reader" group

second if you have number of active directory server JUST select the one which has a global catalog role

this method is very simple an connect immediately after you refresh the page