- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Logon event RDP for FSSO
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Logon event RDP for FSSO
Hello, We use FSSO to allow or not connection to Internet for users. We have a problem when we use RDP (Windows remote desktop), they credentials using on the remote desktop are updated also on the computer who has lauch RDP. We have reproduce this issue. We are connected with ABC account on 10.1.1.1. We launch a RDP session from 10.1.1.1 to 10.2.2.2 with account DEF. After that, we can see on the fortigate the DEF account on 10.2.2.2 and on 10.1.1.1. So from the computer 10.1.1.1 with ABC account, we have DEF rights ! So we need to De-authenticate DEF on Fortigate or restart a session to restore ABC rights on 10.1.1.1. When we look logon log on FSSO collector, we can see that DEF connect in first on 10.1.1.1 and after 10.2.2.2. So, why Windows RDP send a logon event whith DEF on 10.1.1.1 ? Do you know this problem ?
I've opened a ticket on fortinet support, but I think it's not a FSSO bug. This is why I allow myself to ask the question here.
Thank you so much in advance.
Best regards,
Anthony.
FCNSA-P
France
FCNSA-P France
Labels:
- Labels:
-
5.2
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
we saw and investigated that behavior with updated new RDP protocol as development case ID #165397 (not a bug) and problem is that when user authenticate via RDP the MS system creates logon event on DC which is indistinguishable from regular one and contains data as that DEF truly logged on 10.1.1.1.
Therefore Collector and FSSO subsystem spot that logon and as it later it overwrite/update current FSSO records with new data for workstation 10.1.1.1.
Possible solutions I see (choose either one suitable for you):
---
A: use native RDP vithout security negotiations (older version ).
B: use FSSO WinSec Polling from collector instead of DCAgent mode.
C: as issue is caused by contradictory info gathered through two MS sub-authentication layer channels, then make a fix in registry of DC servers and change this to eliminate channel with wrong data and keep just Kerberos channel opened:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] delete value Auth0 or change Auth0 value to anything other than dcagent. after that restart domain controller.
Best regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for your reply.
We have try to modify registr value on Domain Controller but we have the same problem...
Why ?
Also, this value is not available on a standard Windows, only on Server...
Fortinet ask to me to use a special account for RDP session and to put this account on ignore user list.
This is not really a good solution for customers...
Best regards,
Anthony.
FCNSA-P
France
FCNSA-P France
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anthony,
registry key should work, as it was tested before.
Surely it is just for server platforms as we are talking about registry records on DC not on workstations ! Maybe that's why it's not working as you expect.
Special account distinguishable from regular account by logon name format for RDP is good workaround I think. New RDP does logon action, DC creates two contradicting logon events through Kerberos and MSV channel, and if FSSO monitor both it will get them and update FSSO records one-by-one so if MSV one (wrong data inside) is last one, then you will get workstation overwritten. Issue is created by inacurate logon event through MSV channel. So you have to either ignore channel (registry change), or ignore a user logon event based on user name used (ignore list record).
regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am on the newest version of FSSO and the problem is still remains.
I have looked at the workarounds.
A: We need this as we are running RD environment with SSO
B: If your are meaning pulling info with the Fortigate then this environment is probably to big for that.
C: Value Auth0 does not exist
Any thoughts?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm also experiencing this issue..
Fortinet replied my ticket:
---------------------
When a user use RDP, a login is registered on the Domain Controller, an IP only can have one user, the IP will use the last login.
With the previous rules, you can do next steps to avoid this override:
- On the FSSO Collector Agent - > Show Monitored DCs - > Select DC to monitor - > Check "Disable RDP override"
- Add accounts used for RDP in the FSSO Collector Agent - > Set Ignore User List - > Add Users - > Select - > Add
* Adding accounts, FSSO Agent will ignore logins from added accounts so the current session will not overridden.
---------------------
There's no such option as "Disable RDP override"..
You guys found any solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI
i have some problem
try edit regedit on Dc naturally and reboot, not work
flag "Disable RDP override" and reboot, not work
when connect to rdp server fortigate use new rdp user and ip of workstation
it's no a way esclude all user account. i need to use it on other workstation.
have solution???
p.s. Disable RDP override flag stay on last agent version
Related Posts
- Fortinet FSSO and Cisco ISE pxgrid 189 Views
- Fortinet Single Sign On (FSSO) for... 220 Views
- FSSO with two Domain Controllers not... 250 Views
- FSSO Logon Users How to clear... 529 Views
- FSSO agent 1827 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,299 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.