Hot!Fortigate 5.2.7 FSSO polling mode authentication problem

Author
Millibhu
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/07/07 02:33:55
  • Status: offline
2016/04/26 21:29:59 (permalink)
0

Fortigate 5.2.7 FSSO polling mode authentication problem

Hi,
 
I want to implement Internet Access Authentication with FSSO polling mode. I have follow the cookbook
http://cookbook.fortinet.com/fsso-polling-mode/
 
But still not success. Even My PC is join domain it still prompt for username/password
 
could anyone suggest what I can check for next step ?
 
Thank you
 
Mhee
#1

7 Replies Related Threads

    Fishbone_FTNT
    Silver Member
    • Total Posts : 53
    • Scores: 23
    • Reward points: 0
    • Joined: 2015/02/02 02:13:08
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2016/04/26 23:19:59 (permalink)
    0
    Hi Mhee,
    for the sake of your own sanity, please don't use Fortigate's polling mode, unless it's really necessary. There are numerous limitations compared to standalone FSSO CA design. Just from top of my head:
    - NTLM is not supported
    - only few events are monitored
    - workstation check is not implemented
    - has performance limitations
     
    There are many success stories with standalone FSSO CA, while so few with Fortigate FSSO polling, if you know what I mean. Should I position Fortigate's polling mode in usage, I would mention extra-small designs and demonstration purposes.
     
    If you still need to troubleshoot fsso polling mode (or you are just brave and adventurous), please be sure that you have security events audit enabled on all DC servers, and configured LDAP is really reachable.
     
    If still no success, you can get the idea what's wrong also from your own troubleshooting; for example with debug commands:
     
    # various debug outputs related to fssod daemon
    diagnose debug fsso-polling ?
     
    # enable continuous debug
    diagnose debug console timestamp enable
    diagnose debug application fssod -1
    diagnose debug enable
    # disable continuous debug
    diagnose debug reset
    diagnose debug disable
     
     
    Cheers,
     Fishbone )(
     
    #2
    Millibhu
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/07/07 02:33:55
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2016/05/02 00:18:52 (permalink)
    0
    Hi Fishbone,
     
    Thank you for your information. I implement this in test environment. this solution will deploy for small size office, so I start with polling mode.
     
    I try the debug from your command as below output
     
    -------------------------------------------------------------
    Fortigate-100D # diagnose debug fsso-polling detail

    AD Server Status:

    ID=1, name(x.x.x.x),ip=x.x.x.x,source(security),users(0)

    port=auto username=Admin

    read log offset=764539828, latest logon timestamp: Mon May  2 13:27:14 2016

     

    polling frequency: every 10 second(s) success(50432), fail(0)

    LDAP query: success(2), fail(0)

    LDAP max group query period(seconds): 1

    most recent connection status: connected

     

    Group Filter:
     
    The LDAP connection to server seem to be normal. Could you please suggest next step to analyze this ?
     
    Thanks
    Millibhu
    #3
    jmichael@corbincapital.com
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/27 10:13:33
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2017/02/27 11:37:13 (permalink)
    0
    Make sure you have Audit account logon events turned on your domain controllers. 
     
    I've been told that this kind of polling is only good for less than 20 users and only one or two domain controllers.  More than that and the system will miss events or struggle with performance.
     
    Hope this helps,
     
    J
     
    #4
    louis
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/19 06:17:25
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2017/02/27 23:30:10 (permalink)
    0
    Hello,
     
    WHich version of windows domain controller are you using?
     
    Regards,
    Louis
    #5
    sgomes26
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/13 06:57:01
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2017/05/16 14:03:16 (permalink)
    0
    Hello.
    I have this issue after install Antivirus on DCs.
     
    #6
    dr.freeman
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/23 02:54:26
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2018/02/21 09:02:16 (permalink)
    0
    Hi, can someone tell me, what diagnose debug fsso-polling refresh-user actually do?


    Does it only display some status information and statistic with polls or
    refreshes user group information from any server that is connected to firewall with some collector agent?
    #7
    fcb
    Bronze Member
    • Total Posts : 34
    • Scores: 0
    • Reward points: 0
    • Joined: 2007/06/20 21:01:59
    • Status: offline
    Re: Fortigate 5.2.7 FSSO polling mode authentication problem 2018/11/18 18:35:35 (permalink)
    0
    Does everyone still agree (here in late 2018 and on 6.0.2) that fsso-polling is not the way to go in a larger environment? I have about 750 users across four domain controllers. Everything seems to be working "fair" but seems like it's not showing all of the users yet. I've only had it working for about 6 hours and only around half of the users are showing in a "diag debug fsso-polling" query.
     
    If I go back to the collector agent, will the groups that I already have populated and pointing to the FSSO still work w/o modification? Lastly, how does the unit handle both FSSO with CA and FSSO with polling? Does it just use both? Seems like both would be hard to troubleshoot
     
    Thanks!
     
    dt
     
     
    post edited by fcb - 2018/11/18 18:43:07
    #8
    Jump to:
    © 2018 APG vNext Commercial Version 5.5