Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Millibhu
New Contributor

Fortigate 5.2.7 FSSO polling mode authentication problem

Hi,

 

I want to implement Internet Access Authentication with FSSO polling mode. I have follow the cookbook

http://cookbook.fortinet.com/fsso-polling-mode/

 

But still not success. Even My PC is join domain it still prompt for username/password

 

could anyone suggest what I can check for next step ?

 

Thank you

 

Mhee

7 REPLIES 7
Fishbone_FTNT

Hi Mhee,

for the sake of your own sanity, please don't use Fortigate's polling mode, unless it's really necessary. There are numerous limitations compared to standalone FSSO CA design. Just from top of my head: - NTLM is not supported

- only few events are monitored

- workstation check is not implemented

- has performance limitations

 

There are many success stories with standalone FSSO CA, while so few with Fortigate FSSO polling, if you know what I mean. Should I position Fortigate's polling mode in usage, I would mention extra-small designs and demonstration purposes.

 

If you still need to troubleshoot fsso polling mode (or you are just brave and adventurous), please be sure that you have security events audit enabled on all DC servers, and configured LDAP is really reachable.

 

If still no success, you can get the idea what's wrong also from your own troubleshooting; for example with debug commands:

 

# various debug outputs related to fssod daemon

diagnose debug fsso-polling ?

 

# enable continuous debug

diagnose debug console timestamp enable

diagnose debug application fssod -1 diagnose debug enable

# disable continuous debug

diagnose debug reset

diagnose debug disable

 

 

Cheers,

 Fishbone )(

 

smithproxy hacker - www.smithproxy.org

Millibhu

Hi Fishbone,

 

Thank you for your information. I implement this in test environment. this solution will deploy for small size office, so I start with polling mode.

 

I try the debug from your command as below output

 

-------------------------------------------------------------

Fortigate-100D # diagnose debug fsso-polling detail AD Server Status: ID=1, name(x.x.x.x),ip=x.x.x.x,source(security),users(0) port=auto username=Admin read log offset=764539828, latest logon timestamp: Mon May  2 13:27:14 2016   polling frequency: every 10 second(s) success(50432), fail(0) LDAP query: success(2), fail(0) LDAP max group query period(seconds): 1 most recent connection status: connected   Group Filter:

 

The LDAP connection to server seem to be normal. Could you please suggest next step to analyze this ?

 

Thanks

Millibhu

jmichael
New Contributor

Make sure you have Audit account logon events turned on your domain controllers. 

 

I've been told that this kind of polling is only good for less than 20 users and only one or two domain controllers.  More than that and the system will miss events or struggle with performance.

 

Hope this helps,

 

J

 

louis
New Contributor

Hello,

 

WHich version of windows domain controller are you using?

 

Regards,

Louis

sgomes26
New Contributor

Hello.

I have this issue after install Antivirus on DCs.

 

dr_freeman

Hi, can someone tell me, what diagnose debug fsso-polling refresh-user actually do?

Does it only display some status information and statistic with polls or

refreshes user group information from any server that is connected to firewall with some collector agent?

fcb
Contributor

Does everyone still agree (here in late 2018 and on 6.0.2) that fsso-polling is not the way to go in a larger environment? I have about 750 users across four domain controllers. Everything seems to be working "fair" but seems like it's not showing all of the users yet. I've only had it working for about 6 hours and only around half of the users are showing in a "diag debug fsso-polling" query.

 

If I go back to the collector agent, will the groups that I already have populated and pointing to the FSSO still work w/o modification? Lastly, how does the unit handle both FSSO with CA and FSSO with polling? Does it just use both? Seems like both would be hard to troubleshoot

 

Thanks!

 

dt

 

 

Labels
Top Kudoed Authors