Hot!Logon event RDP for FSSO

Author
anthony956
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/07 14:09:58
  • Status: offline
2015/07/28 02:22:10 (permalink) 5.2
0

Logon event RDP for FSSO

 
Hello,

We use FSSO to allow or not connection to Internet for users.
We have a problem when we use RDP (Windows remote desktop), they credentials using on the remote desktop are updated also on the computer who has lauch RDP.

We have reproduce this issue.
We are connected with ABC account on 10.1.1.1.
We launch a RDP session from 10.1.1.1 to 10.2.2.2 with account DEF.
After that, we can see on the fortigate the DEF account on 10.2.2.2 and on 10.1.1.1.
So from the computer 10.1.1.1 with ABC account, we have DEF rights !
So we need to De-authenticate DEF on Fortigate or restart a session to restore ABC rights on 10.1.1.1.

When we look logon log on FSSO collector, we can see that DEF connect in first on 10.1.1.1 and after 10.2.2.2.
So, why Windows RDP send a logon event whith DEF on 10.1.1.1 ?
Do you know this problem ? 
 
I've opened a ticket on fortinet support, but I think it's not a FSSO bug. This is why I allow myself to ask the question here.
 
Thank you so much in advance.
 
Best regards,
Anthony.
 
#1

6 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 453
    • Scores: 103
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Logon event RDP for FSSO 2015/07/28 05:08:55 (permalink)
    0
    Hello,
     
    we saw and investigated that behavior with updated new RDP protocol as development case ID #165397 (not a bug) and problem is that when user authenticate via RDP the MS system creates logon event on DC which is indistinguishable from regular one and contains data as that DEF truly logged on 10.1.1.1.
    Therefore Collector and FSSO subsystem spot that logon and as it later it overwrite/update current FSSO records with new data for workstation 10.1.1.1.
     
    Possible solutions I see  (choose either one suitable for you):
    ---
    A: use native RDP vithout security negotiations (older version ).
    B: use FSSO WinSec Polling from collector instead of DCAgent mode.
    C: as issue is caused by contradictory info gathered through two MS sub-authentication layer channels, then make a fix in registry of DC servers and change this to eliminate channel with wrong data and keep just Kerberos channel opened:
     
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
    delete value Auth0 or change Auth0 value to anything other than dcagent.
    after that restart domain controller.
     
    Best regards, Tomas
    #2
    anthony956
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/07 14:09:58
    • Status: offline
    Re: Logon event RDP for FSSO 2015/08/05 00:15:42 (permalink)
    0
    Hello,
     
    Thank you for your reply.
     
    We have try to modify registr value on Domain Controller but we have the same problem...
    Why ? 
    Also, this value is not available on a standard Windows, only on Server...
    Fortinet ask to me to use a special account for RDP session and to put this account on ignore user list. 
    This is not really a good solution for customers...
     
    Best regards,
    Anthony.
     
    #3
    xsilver
    Expert Member
    • Total Posts : 453
    • Scores: 103
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Logon event RDP for FSSO 2015/08/10 08:20:36 (permalink)
    0
    Hello Anthony,
     
    registry key should work, as it was tested before.
    Surely it is just for server platforms as we are talking about registry records on DC not on workstations ! Maybe that's why it's not working as you expect.
    Special account distinguishable from regular account by logon name format for RDP is good workaround I think. New RDP does logon action, DC creates two contradicting logon events through Kerberos and MSV channel, and if FSSO monitor both it will get them and update FSSO records one-by-one so if MSV one (wrong data inside) is last one, then you will get workstation overwritten. Issue is created by inacurate logon event through MSV channel. So you have to either ignore channel (registry change), or ignore a user logon event based on user name used (ignore list record).
     
    regards, Tomas
    #4
    TG44
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/01/27 06:30:09
    • Status: offline
    Re: Logon event RDP for FSSO 2017/05/18 09:28:14 (permalink)
    0
    I am on the newest version of FSSO and the problem is still remains. 
     
    I have looked at the workarounds.
    A: We need this as we are running RD environment with SSO
    B: If your are meaning pulling info with the Fortigate then this environment is probably to big for that.
    C: Value Auth0 does not exist
     
    Any thoughts?
     
    #5
    wspsales
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/13 09:54:08
    • Status: offline
    Re: Logon event RDP for FSSO 2017/10/04 08:03:25 (permalink)
    0
    I'm also experiencing this issue.. 
     
    Fortinet replied my ticket:
    ---------------------
    When a user use RDP, a login is registered on the Domain Controller, an IP only can have one user, the IP will use the last login.
    With the previous rules, you can do next steps to avoid this override:
    - On the FSSO Collector Agent - > Show Monitored DCs - > Select DC to monitor - > Check "Disable RDP override"
    - Add accounts used for RDP in the FSSO Collector Agent - > Set Ignore User List - > Add Users - > Select - > Add
    * Adding accounts, FSSO Agent will ignore logins from added accounts so the current session will not overridden.
    ---------------------
     
    There's no such option as "Disable RDP override"..
    You guys found any solution?
    #6
    lastangel
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/21 02:40:55
    • Status: offline
    Re: Logon event RDP for FSSO 2019/02/14 09:44:43 (permalink)
    0
    HI
    i have some problem
    try edit regedit on Dc naturally and reboot, not work
    flag "Disable RDP override" and reboot, not work
     
    when connect to rdp server fortigate use new rdp user and ip of workstation
     
    it's no a way esclude all user account. i need to use it on other workstation.
     
    have solution???
     
    p.s. Disable RDP override flag stay on last agent version
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5