Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rig
New Contributor

SSO issues/problems

Hi all

I am new to Fortigate (this is also my 1st post to the forum) and attempted to setup FSSO. I followed the steps as described in this link (http://cookbook.fortinet.com/providing-single-sign-using-ldap-fsso-agent-advanced-mode-expert/), hiowever after completing all the steps - I can see the logins from my users in the FSSO agent installed on the DC, however I am seeing nothing on Fortigate. There is no user entry under "User & Device > Monitor > Firewall" - and from CLI I get the below:

# diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
Did I miss something or do something wrong? Any advice welcome.

1 Solution
xsilver_FTNT
Staff
Staff

As you set up standalone Collector Agent on DC (if you followed cookbook receipt), then you do not need Local FSSO poller on FortiGate .. remove it from 'config user fsso-polling'.

Make sure that your fsso 'config user adgrp' records are paired to  right Collector "TCMVPN-FSSO" and not to local poller.

 

Then check users in Collector / Show Logon Users and their group membership. It seems to me probable that they are not matching group filters set and therefore they are not reported to FortiGate. Check Group Filters on Collector and on FortiGate. If you run in advanced mode then filters should be in LDAP format like "CN=group,DC=example,DC=com". Also make sure that you have selected LDAP objects which are actually groups (they must have LDAP ObjectClass=group) and not users or anything else!

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

View solution in original post

11 REPLIES 11
Rig
New Contributor

Hi

Thanks for the advice. Running the commands I get the the below output for the 1st set.

_event_read[TCMVPN-FSSO]: received heartbeat 100408
[authd_fsae_app.c:116]: num 1, idx 0, 127.0.0.1:8000
_event_error[Local FSSO Agent]: error occurred in read: Connection refused
disconnect_server_only[Local FSSO Agent]: disconnecting

I checked the DC ports (netstat -ant| more) and I can see it listening on the ports 389,3268 and 8000  -- but no 8002.

From the FSSO Agent on the DC I can see that the listening ports are configured as Fortigate - 8000  and DC agent - 8002. Windows Firewall is disabled completely with no 3rd party FW installed.

 

For the second set of commands I get the below output:

 

 # diagnose debug authd fsso server-status
Server Name Connection Status Version
----------- ----------------- -------
Local FSSO Agent waiting for retry
TCMVPN-FSSO connected FSSO 5.0.0244

 

 

 

xsilver_FTNT
Staff
Staff

As you set up standalone Collector Agent on DC (if you followed cookbook receipt), then you do not need Local FSSO poller on FortiGate .. remove it from 'config user fsso-polling'.

Make sure that your fsso 'config user adgrp' records are paired to  right Collector "TCMVPN-FSSO" and not to local poller.

 

Then check users in Collector / Show Logon Users and their group membership. It seems to me probable that they are not matching group filters set and therefore they are not reported to FortiGate. Check Group Filters on Collector and on FortiGate. If you run in advanced mode then filters should be in LDAP format like "CN=group,DC=example,DC=com". Also make sure that you have selected LDAP objects which are actually groups (they must have LDAP ObjectClass=group) and not users or anything else!

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Rig

Hi xSilver - thank you for the Feedback. I removed the local FSSO Agent and also changed the collector to Advanced Mode on the DC.

Everything is working now as expected - policies work and the Users are populated correctly. Thanks :)

gsarica

Don't mean to hijack this thread, but xsilver can you explain something that you mentioned there? We're using our AD servers as SSO on our FortiGate, no local agent, polling only. And this does work great as it assigns a user to a device when they log on. 

 

I noticed that SSO only assigns users to devices when they log in if I choose security groups in the SSO config. I can't use 'users' or 'OU' even though they are available as selections. If I choose an OU, in the logs it shows users signing in and out, but users won't be assigned to a device. Is there a reason only security groups can be used? Thanks!

xsilver_FTNT

Hi gsarica,

reason is simple, FSSO need to know to which AD groups user belongs to and it is gathered via LDAP and query for MemberOf compared to Members LDAP attributes. So your Collector (in local polling FortiGate act as Collector) can gather this group membership info aside to source IP, workstation name and user name to FortiGate, which then map user to Firewall (fsso type) user group based on AD group membership.

So if you question OU or CN (but user and not group), then you do not have MemberOf and Members attributes, and therefore there is nothing to use for proper FSSO function.

If you really want to use OU on behalf of group objects, then you would need standalone Collector Agent version 5.x installed on DC as those do support OU polling.

FortiGate local poller and collector are trully limited in their functionality to bare minimum.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

gsarica

I see, thank you. Totally makes sense.

CorneJvV

Hello All

 

I'm having some issues with FSSO. On the FortiGate the FSSO status Online (green tick)

On the FSSO Agent, we can see over 1000 Authenticated users.

I am also able to telnet to the FSSO Server on port 8000.

 

I then deployed an LDAP FSSO as well, but I am still unable to see Authenticated Users.

Any additional trouble shooting commands will be greatly appreciated.

 

 

FGFW_300D_Master # exe telnet 192.168.0.141 8000 Trying 192.168.0.141... Connected to 192.168.0.141. Z▒ Ժ FSSO 5.0.0251i c▒8▒▒o74                        CU~FSAE_SERVER_10001Connection closed by foreign host. FGFW_300D_Master # exe telnet 192.168.0.142 8000 Trying 192.168.0.142... Connected to 192.168.0.142. Z▒ Ի FSSO 5.0.0251#i5▒▒rC9▒)EFSAE_SERVER_10001Connection closed by foreign host. FGFW_300D_Master #

FGFW_300D_Master #

FGFW_300D_Master # diagnose debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----

FGFW_300D_Master # FGFW_300D_Master # FGFW_300D_Master # diag debug enable FGFW_300D_Master # diagnose debug authd fsso server-status Server Name                          Connection Status     Version -----------                          -----------------     ------- 2018-06-12 10:33:36 Client-FSSO                             connected             FSSO 5.0.0251 2018-06-12 10:33:36 Client-LDAP                             connected             FSSO 5.0.0251 diagnose debug dis FGFW_300D_Master # FGFW_300D_Master # FGFW_300D_Master # diag debug enable FGFW_300D_Master # diagnose  debug application  authd 8256 2018-06-12 10:34:01 _event_read[Client-FSSO]: received heartbeat 119915 2018-06-12 10:34:02 _event_read[Client-LDAP]: received heartbeat 119916 2018-06-12 10:34:11 _event_read[Client-FSSO]: received heartbeat 119916 2018-06-12 10:34:13 _event_read[Client-LDAP]: received heartbeat 119917 2018-06-12 10:34:21 _event_read[Client-FSSO]: received heartbeat 119917 2018-06-12 10:34:23 _event_read[Client-LDAP]: received heartbeat 119918 2018-06-12 10:34:32 _event_read[Client-FSSO]: received heartbeat 119918 2018-06-12 10:34:33 _event_read[Client-LDAP]: received heartbeat 119919 2018-06-12 10:34:42 _event_read[Client-FSSO]: received heartbeat 119919 2018-06-12 10:34:43 _event_read[Client-LDAP]: received heartbeat 119920 2018-06-12 10:34:52 _event_read[Client-FSSO]: received heartbeat 119920 2018-06-12 10:34:53 _event_read[Client-LDAP]: received heartbeat 119921 2018-06-12 10:35:02 _event_read[Client-FSSO]: received heartbeat 119921 2018-06-12 10:35:03 _event_read[Client-LDAP]: received heartbeat 119922 2018-06-12 10:35:12 _event_read[Client-FSSO]: received heartbeat 119922 2018-06-12 10:35:13 _event_read[Client-LDAP]: received heartbeat 119923

 

Regards

Corné

FCNSA FortiGate 60C, 110C, 200B, 310B FortiAnalyzer 100C FortiMail 100 FortiManager 100
FCNSA FortiGate 60C, 110C, 200B, 310B FortiAnalyzer 100C FortiMail 100 FortiManager 100
kfr
New Contributor

Fortigate 600D v5.6.4 build1575 (GA) Windows Server 2008 R2 Windows 7 with FSSO Agent ver. 5.0.0267

 

Hello, I`m trying to configure FSSO using FSSO Agent (Collector Agent) in Polling Mode (polling logon sessions from DC) using WMI (FSSO Agent is installed on separate machine - not DC), agent is running on domain user account with domain admin privileges, so this account also has privilages to access Windows Security Event Logs).

 

On all devices in domain Audit logon events is enabled via GPO.

 

When FSSO Agent use Poll logon sessions using Windows NetAPI option - everything works..  but I have to change it to WMI because sometimes FG has some mismatch user/user to domain group or FG doesn`t see some users.

 

As I read in documentation, the prefered way to use Polling Mode is to checking Windows Security Event Logs using WMI.

 

All necessery ports to communication are not blocked by firewall (139,389, 445,3268,8000,8002..)

 

Some debug logs…

 

diag debug auth fsso server-status

Server Name     Connection Status     Version               Address

-----------              -----------------     -------               -------

SRV07B             connected             FSSO 5.0.0267         172.16.44.172

 

 

diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----

 

diagnose debug application authd 8256

d_event_read[SRV07B-DMZ]: received heartbeat 102285
_event_read[SRV07B]: received heartbeat 102286
_event_read[SRV07B-DMZ]: received heartbeat 102290
_event_read[SRV07B]: received heartbeat 102291
_event_read[SRV07B]: received heartbeat 102296
_event_read[SRV07B-DMZ]: received heartbeat 102295
_event_read[SRV07B]: received heartbeat 102301
_event_read[SRV07B-DMZ]: received heartbeat 102300
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102305
_event_read[SRV07B]: received heartbeat 102306
_event_read[SRV07B]: received heartbeat 102311
_event_read[SRV07B-DMZ]: received heartbeat 102310
_event_read[SRV07B-DMZ]: received heartbeat 102315
_event_read[SRV07B]: received heartbeat 102316
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102320
_event_read[SRV07B]: received heartbeat 102321
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B]: received heartbeat 102326
_event_read[SRV07B-DMZ]: received heartbeat 102325
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102330
_event_read[SRV07B]: received heartbeat 102331
_event_read[SRV07B-DMZ]: received heartbeat 102335
_event_read[SRV07B]: received heartbeat 102336
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0

 

 

 

CollectorAgnet Log – (debug mode)
07/17/2018 10:23:55 [ 3832] [WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:55 [ 3832] [WMIPoller]Total 0 log event has processed
07/17/2018 10:23:55 [ 3832] [EPPoller]DoIpLsiMapCleanup(): before=0, after=0
07/17/2018 10:23:55 [ 3832] [EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:55 [ 3832] [LSPoller]PackMsg(KEEPALIVE, srv06.kfr.local, 1531815835)
07/17/2018 10:23:55 [ 3832] Bytes received from DC agent(3327): 47 dcagent IP: 0c2810ac, MT=00010000
07/17/2018 10:23:55 [ 3832] dcagent packet: add to queue, called:3327, current:0
07/17/2018 10:23:55 [ 3832] [LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local): r=0
07/17/2018 10:23:55 [ 3264] process_dcagent_events called by worker:121
07/17/2018 10:23:55 [ 3264] dcagent packet: removed from queue, called:3327 remain:0
07/17/2018 10:23:55 [ 3264] get dcagent event from processing queue by worker:121
07/17/2018 10:23:55 [ 3264] [Comm]W=121, PDE:HDE(0000000014501800, 0x0C2810AC, 47)-->
07/17/2018 10:23:55 [ 3264] dcagent packet: processed:3327
07/17/2018 10:23:55 [ 3264] logon event(3327): len:47 dc_ip:172.16.40.12 time:1531815835 len:34 data:srv06.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:55 [ 3264] ignore keepalive packet
07/17/2018 10:23:55 [ 3264] [Comm]W=121, PDE:HDE(0000000014501800, 0x0C2810AC, 47): r=-1, e=87
07/17/2018 10:23:55 [ 3264] process_dcagent_events returned by worker:121, processed:1
07/17/2018 10:23:55 [ 1904] check the entry to see if the user's group info changed
07/17/2018 10:23:55 [ 1904] check the cache to send logon events
07/17/2018 10:23:56 [ 1904] check the cache to send logon events
07/17/2018 10:23:57 [ 1904] check the cache to send logon events
07/17/2018 10:23:57 [ 1356] [LSPoller]DoPolling(ip=0B2810AC, host=KFR/srv05.kfr.local)-->
07/17/2018 10:23:57 [ 1356] [CWMIEPPoller]Start to poll Active Directory sessions.
07/17/2018 10:23:57 [ 1308] [LSPoller]DoPolling(ip=282810AC, host=KFR/SRV30.kfr.local)-->
07/17/2018 10:23:57 [ 1308] [CWMIEPPoller]Start to poll Active Directory sessions.
07/17/2018 10:23:57 [ 1356] [WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:57 [ 1356] [WMIPoller]Total 0 log event has processed
07/17/2018 10:23:57 [ 1356] [EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:57 [ 1356] [LSPoller]PackMsg(KEEPALIVE, srv05.kfr.local, 1531815837)
07/17/2018 10:23:57 [ 1356] Bytes received from DC agent(3328): 47 dcagent IP: 0b2810ac, MT=00010000
07/17/2018 10:23:57 [ 1356] dcagent packet: add to queue, called:3328, current:0
07/17/2018 10:23:57 [ 1356] [LSPoller]DoPolling(ip=0B2810AC, host=KFR/srv05.kfr.local): r=0
07/17/2018 10:23:57 [ 1308] [WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:57 [ 1308] [WMIPoller]Total 0 log event has processed
07/17/2018 10:23:57 [ 1308] [EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:57 [ 1308] [LSPoller]PackMsg(KEEPALIVE, SRV30.kfr.local, 1531815837)
07/17/2018 10:23:57 [ 1308] Bytes received from DC agent(3329): 47 dcagent IP: 282810ac, MT=00010000
07/17/2018 10:23:57 [ 1308] dcagent packet: add to queue, called:3329, current:1
07/17/2018 10:23:57 [ 1308] [LSPoller]DoPolling(ip=282810AC, host=KFR/SRV30.kfr.local): r=0
07/17/2018 10:23:57 [ 2600] process_dcagent_events called by worker:2
07/17/2018 10:23:57 [ 2600] dcagent packet: removed from queue, called:3328 remain:1
07/17/2018 10:23:57 [ 2600] get dcagent event from processing queue by worker:2
07/17/2018 10:23:57 [ 2600] [Comm]W=002, PDE:HDE(0000000014501800, 0x0B2810AC, 47)-->
07/17/2018 10:23:57 [ 2600] dcagent packet: processed:3328
07/17/2018 10:23:57 [ 1288] process_dcagent_events called by worker:0
07/17/2018 10:23:57 [ 1288] dcagent packet: removed from queue, called:3329 remain:0
07/17/2018 10:23:57 [ 1288] get dcagent event from processing queue by worker:0
07/17/2018 10:23:57 [ 1288] [Comm]W=000, PDE:HDE(0000000014501E00, 0x282810AC, 47)-->
07/17/2018 10:23:57 [ 1288] dcagent packet: processed:3329
07/17/2018 10:23:57 [ 2600] logon event(3328): len:47 dc_ip:172.16.40.11 time:1531815837 len:34 data:srv05.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:57 [ 2600] ignore keepalive packet
07/17/2018 10:23:57 [ 2600] [Comm]W=002, PDE:HDE(0000000014501800, 0x0B2810AC, 47): r=-1, e=87
07/17/2018 10:23:57 [ 2600] process_dcagent_events returned by worker:2, processed:1
07/17/2018 10:23:57 [ 1288] logon event(3329): len:47 dc_ip:172.16.40.40 time:1531815837 len:34 data:SRV30.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:57 [ 1288] ignore keepalive packet
07/17/2018 10:23:57 [ 1288] [Comm]W=000, PDE:HDE(0000000014501E00, 0x282810AC, 47): r=-1, e=87
07/17/2018 10:23:57 [ 1288] process_dcagent_events returned by worker:0, processed:1
07/17/2018 10:23:58 [ 3832] [LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local)-->
07/17/2018 10:23:58 [ 3832] [CWMIEPPoller]Start to poll Active Directory sessions.
07/17/2018 10:23:58 [ 3832] [WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:58 [ 3832] [WMIPoller]Total 0 log event has processed
07/17/2018 10:23:58 [ 3832] [EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:58 [ 3832] [LSPoller]PackMsg(KEEPALIVE, srv06.kfr.local, 1531815838)
07/17/2018 10:23:58 [ 3832] Bytes received from DC agent(3330): 47 dcagent IP: 0c2810ac, MT=00010000
07/17/2018 10:23:58 [ 3832] dcagent packet: add to queue, called:3330, current:0
07/17/2018 10:23:58 [ 3832] [LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local): r=0
07/17/2018 10:23:58 [ 5108] process_dcagent_events called by worker:14
07/17/2018 10:23:58 [ 5108] dcagent packet: removed from queue, called:3330 remain:0
07/17/2018 10:23:58 [ 5108] get dcagent event from processing queue by worker:14
07/17/2018 10:23:58 [ 5108] [Comm]W=014, PDE:HDE(0000000014501E00, 0x0C2810AC, 47)-->
07/17/2018 10:23:58 [ 5108] dcagent packet: processed:3330
07/17/2018 10:23:58 [ 5108] logon event(3330): len:47 dc_ip:172.16.40.12 time:1531815838 len:34 data:srv06.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:58 [ 5108] ignore keepalive packet
07/17/2018 10:23:58 [ 5108] [Comm]W=014, PDE:HDE(0000000014501E00, 0x0C2810AC, 47): r=-1, e=87
07/17/2018 10:23:58 [ 5108] process_dcagent_events returned by worker:14, processed:1
07/17/2018 10:23:58 [ 1904] check the cache to send logon events

 

 

Any ideas ?

xsilver_FTNT

Hi,

 

from collector debug log there seems to be no events polled.

Instead of NetAPI I'd try WinSec polling, this time without WMI.

So Collector will use standard SMB RPC call to read Security event log.

I'd also make sure that Collector process runs under Domain Admins member account to have enough privileges to read WinSec log and do necessary steps. This is default account type recommended.

 

If WinSec will work, then issue is with WMI, so check for any changes to default WMI access settings.

Some details can be found in KB.Fortinet.com http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36039

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Labels
Top Kudoed Authors