AnsweredHot!SSO issues/problems

Author
Rig
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/07 22:31:11
  • Status: offline
2016/09/08 05:33:35 (permalink)
0

SSO issues/problems

Hi all
I am new to Fortigate (this is also my 1st post to the forum) and attempted to setup FSSO.
I followed the steps as described in this link (http://cookbook.fortinet.com/providing-single-sign-using-ldap-fsso-agent-advanced-mode-expert/), hiowever after completing all the steps - I can see the logins from my users in the FSSO agent installed on the DC, however I am seeing nothing on Fortigate.

There is no user entry under "User & Device > Monitor > Firewall" - and from CLI I get the below:
# diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----

Did I miss something or do something wrong? Any advice welcome.
#1
zhunissov4
Gold Member
  • Total Posts : 246
  • Scores: 20
  • Reward points: 0
  • Joined: 2015/10/12 04:00:01
  • Status: offline
Re: SSO issues/problems 2016/09/09 00:33:26 (permalink) ☄ Helpfulby dsosa 2016/11/01 08:10:42
5 (1)
Hello and welcome! 
 
Can u also share with as output of following commands : 
1) diag debug enable
   diagnose  debug application  authd 8256
 
if - "server auth failed" - check pre-shared password
if - "disconnectiong,connection refused" - check TCP port 389,3268,8002 diag sniffer packet
if - "No route to host" - ping from FG to DC
if - "DNS cannot resolve workstation name" - DNS resolution errors
 
2)  diag debug enable
    diagnose debug authd fsso server-status
 
BR, A
#2
Rig
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/07 22:31:11
  • Status: offline
Re: SSO issues/problems 2016/09/09 00:57:16 (permalink)
0
Hi
Thanks for the advice. Running the commands I get the the below output for the 1st set.


_event_read[TCMVPN-FSSO]: received heartbeat 100408
[authd_fsae_app.c:116]: num 1, idx 0, 127.0.0.1:8000
_event_error[Local FSSO Agent]: error occurred in read: Connection refused
disconnect_server_only[Local FSSO Agent]: disconnecting

I checked the DC ports (netstat -ant| more) and I can see it listening on the ports 389,3268 and 8000  -- but no 8002.
From the FSSO Agent on the DC I can see that the listening ports are configured as Fortigate - 8000  and DC agent - 8002. Windows Firewall is disabled completely with no 3rd party FW installed.
 
For the second set of commands I get the below output:
 
 # diagnose debug authd fsso server-status
Server Name Connection Status Version
----------- ----------------- -------
Local FSSO Agent waiting for retry
TCMVPN-FSSO connected FSSO 5.0.0244

 
 
 
#3
xsilver_FTNT
Expert Member
  • Total Posts : 359
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: SSO issues/problems 2016/09/14 02:46:37 (permalink) ☼ Best Answerby Rig 2016/09/20 04:19:58
0
As you set up standalone Collector Agent on DC (if you followed cookbook receipt), then you do not need Local FSSO poller on FortiGate .. remove it from 'config user fsso-polling'.
Make sure that your fsso 'config user adgrp' records are paired to  right Collector "TCMVPN-FSSO" and not to local poller.
 
Then check users in Collector / Show Logon Users and their group membership. It seems to me probable that they are not matching group filters set and therefore they are not reported to FortiGate. Check Group Filters on Collector and on FortiGate. If you run in advanced mode then filters should be in LDAP format like "CN=group,DC=example,DC=com". Also make sure that you have selected LDAP objects which are actually groups (they must have LDAP ObjectClass=group) and not users or anything else!

Kind Regards,
Tomas
#4
Rig
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/07 22:31:11
  • Status: offline
Re: SSO issues/problems 2016/09/20 04:19:51 (permalink)
0
Hi xSilver - thank you for the Feedback. I removed the local FSSO Agent and also changed the collector to Advanced Mode on the DC.
Everything is working now as expected - policies work and the Users are populated correctly.
Thanks :)
#5
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: SSO issues/problems 2016/09/20 06:39:41 (permalink)
0
Don't mean to hijack this thread, but xsilver can you explain something that you mentioned there? We're using our AD servers as SSO on our FortiGate, no local agent, polling only. And this does work great as it assigns a user to a device when they log on. 
 
I noticed that SSO only assigns users to devices when they log in if I choose security groups in the SSO config. I can't use 'users' or 'OU' even though they are available as selections. If I choose an OU, in the logs it shows users signing in and out, but users won't be assigned to a device. Is there a reason only security groups can be used? Thanks!
#6
xsilver_FTNT
Expert Member
  • Total Posts : 359
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: SSO issues/problems 2016/09/20 07:11:52 (permalink)
0
Hi gsarica,
reason is simple, FSSO need to know to which AD groups user belongs to and it is gathered via LDAP and query for MemberOf compared to Members LDAP attributes. So your Collector (in local polling FortiGate act as Collector) can gather this group membership info aside to source IP, workstation name and user name to FortiGate, which then map user to Firewall (fsso type) user group based on AD group membership.
So if you question OU or CN (but user and not group), then you do not have MemberOf and Members attributes, and therefore there is nothing to use for proper FSSO function.
If you really want to use OU on behalf of group objects, then you would need standalone Collector Agent version 5.x installed on DC as those do support OU polling.
FortiGate local poller and collector are trully limited in their functionality to bare minimum.

Kind Regards,
Tomas
#7
gsarica
Bronze Member
  • Total Posts : 60
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: SSO issues/problems 2016/09/20 07:28:11 (permalink)
0
I see, thank you. Totally makes sense.
#8
CorneJvV
Silver Member
  • Total Posts : 76
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/04/02 03:06:37
  • Status: offline
Re: SSO issues/problems 2018/06/12 01:50:49 (permalink)
0
Hello All
 
I'm having some issues with FSSO. On the FortiGate the FSSO status Online (green tick)
On the FSSO Agent, we can see over 1000 Authenticated users.
I am also able to telnet to the FSSO Server on port 8000.
 
I then deployed an LDAP FSSO as well, but I am still unable to see Authenticated Users.
Any additional trouble shooting commands will be greatly appreciated.
 
 
FGFW_300D_Master # exe telnet 192.168.0.141 8000
Trying 192.168.0.141...
Connected to 192.168.0.141.
Z▒
Ժ
FSSO 5.0.0251i c▒8▒▒o74
                       CU~FSAE_SERVER_10001Connection closed by foreign host.

FGFW_300D_Master # exe telnet 192.168.0.142 8000
Trying 192.168.0.142...
Connected to 192.168.0.142.
Z▒
Ի
FSSO 5.0.0251#i5▒▒rC9▒)EFSAE_SERVER_10001Connection closed by foreign host.
FGFW_300D_Master #
FGFW_300D_Master #
FGFW_300D_Master # diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
FGFW_300D_Master #
FGFW_300D_Master #
FGFW_300D_Master # diag debug enable
FGFW_300D_Master # diagnose debug authd fsso server-status

Server Name                          Connection Status     Version
-----------                          -----------------     -------
2018-06-12 10:33:36 Client-FSSO                             connected             FSSO 5.0.0251
2018-06-12 10:33:36 Client-LDAP                             connected             FSSO 5.0.0251
diagnose debug dis
FGFW_300D_Master #
FGFW_300D_Master #
FGFW_300D_Master # diag debug enable
FGFW_300D_Master # diagnose  debug application  authd 8256
2018-06-12 10:34:01 _event_read[Client-FSSO]: received heartbeat 119915
2018-06-12 10:34:02 _event_read[Client-LDAP]: received heartbeat 119916
2018-06-12 10:34:11 _event_read[Client-FSSO]: received heartbeat 119916
2018-06-12 10:34:13 _event_read[Client-LDAP]: received heartbeat 119917
2018-06-12 10:34:21 _event_read[Client-FSSO]: received heartbeat 119917
2018-06-12 10:34:23 _event_read[Client-LDAP]: received heartbeat 119918
2018-06-12 10:34:32 _event_read[Client-FSSO]: received heartbeat 119918
2018-06-12 10:34:33 _event_read[Client-LDAP]: received heartbeat 119919
2018-06-12 10:34:42 _event_read[Client-FSSO]: received heartbeat 119919
2018-06-12 10:34:43 _event_read[Client-LDAP]: received heartbeat 119920
2018-06-12 10:34:52 _event_read[Client-FSSO]: received heartbeat 119920
2018-06-12 10:34:53 _event_read[Client-LDAP]: received heartbeat 119921
2018-06-12 10:35:02 _event_read[Client-FSSO]: received heartbeat 119921
2018-06-12 10:35:03 _event_read[Client-LDAP]: received heartbeat 119922
2018-06-12 10:35:12 _event_read[Client-FSSO]: received heartbeat 119922
2018-06-12 10:35:13 _event_read[Client-LDAP]: received heartbeat 119923
 
Regards
Corné
#9
kfr
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/17 01:31:41
  • Status: offline
Re: SSO issues/problems 2018/07/17 01:59:42 (permalink)
0
Fortigate 600D v5.6.4 build1575 (GA)
Windows Server 2008 R2
Windows 7 with FSSO Agent ver. 5.0.0267
 
Hello,
I`m trying to configure FSSO using FSSO Agent (Collector Agent) in Polling Mode (polling logon sessions from DC) using WMI (FSSO Agent is installed on separate machine - not DC), agent is running on domain user account with domain admin privileges, so this account also has privilages to access Windows Security Event Logs).
 
On all devices in domain Audit logon events is enabled via GPO.
 
When FSSO Agent use Poll logon sessions using Windows NetAPI option - everything works..  but I have to change it to WMI because sometimes FG has some mismatch user/user to domain group or FG doesn`t see some users.
 
As I read in documentation, the prefered way to use Polling Mode is to checking Windows Security Event Logs using WMI.
 
All necessery ports to communication are not blocked by firewall (139,389, 445,3268,8000,8002..)
 
Some debug logs…
 

diag debug auth fsso server-status
Server Name     Connection Status     Version               Address
-----------              -----------------     -------               -------
SRV07B             connected             FSSO 5.0.0267         172.16.44.172
 

 

diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----

 

diagnose debug application authd 8256
d_event_read[SRV07B-DMZ]: received heartbeat 102285
_event_read[SRV07B]: received heartbeat 102286
_event_read[SRV07B-DMZ]: received heartbeat 102290
_event_read[SRV07B]: received heartbeat 102291
_event_read[SRV07B]: received heartbeat 102296
_event_read[SRV07B-DMZ]: received heartbeat 102295
_event_read[SRV07B]: received heartbeat 102301
_event_read[SRV07B-DMZ]: received heartbeat 102300
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102305
_event_read[SRV07B]: received heartbeat 102306
_event_read[SRV07B]: received heartbeat 102311
_event_read[SRV07B-DMZ]: received heartbeat 102310
_event_read[SRV07B-DMZ]: received heartbeat 102315
_event_read[SRV07B]: received heartbeat 102316
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102320
_event_read[SRV07B]: received heartbeat 102321
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B]: received heartbeat 102326
_event_read[SRV07B-DMZ]: received heartbeat 102325
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102330
_event_read[SRV07B]: received heartbeat 102331
_event_read[SRV07B-DMZ]: received heartbeat 102335
_event_read[SRV07B]: received heartbeat 102336
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
 

 
 
CollectorAgnet Log – (debug mode)
07/17/2018 10:23:55 [ 3832] [D][WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:55 [ 3832] [D][WMIPoller]Total 0 log event has processed
07/17/2018 10:23:55 [ 3832] [I][EPPoller]DoIpLsiMapCleanup(): before=0, after=0
07/17/2018 10:23:55 [ 3832] [D][EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:55 [ 3832] [I][LSPoller]PackMsg(KEEPALIVE, srv06.kfr.local, 1531815835)
07/17/2018 10:23:55 [ 3832] Bytes received from DC agent(3327): 47 dcagent IP: 0c2810ac, MT=00010000
07/17/2018 10:23:55 [ 3832] dcagent packet: add to queue, called:3327, current:0
07/17/2018 10:23:55 [ 3832] [I][LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local): r=0
07/17/2018 10:23:55 [ 3264] process_dcagent_events called by worker:121
07/17/2018 10:23:55 [ 3264] dcagent packet: removed from queue, called:3327 remain:0
07/17/2018 10:23:55 [ 3264] get dcagent event from processing queue by worker:121
07/17/2018 10:23:55 [ 3264] [D][Comm]W=121, PDE:HDE(0000000014501800, 0x0C2810AC, 47)-->
07/17/2018 10:23:55 [ 3264] dcagent packet: processed:3327
07/17/2018 10:23:55 [ 3264] logon event(3327): len:47 dc_ip:172.16.40.12 time:1531815835 len:34 data:srv06.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:55 [ 3264] ignore keepalive packet
07/17/2018 10:23:55 [ 3264] [D][Comm]W=121, PDE:HDE(0000000014501800, 0x0C2810AC, 47): r=-1, e=87
07/17/2018 10:23:55 [ 3264] process_dcagent_events returned by worker:121, processed:1
07/17/2018 10:23:55 [ 1904] check the entry to see if the user's group info changed
07/17/2018 10:23:55 [ 1904] check the cache to send logon events
07/17/2018 10:23:56 [ 1904] check the cache to send logon events
07/17/2018 10:23:57 [ 1904] check the cache to send logon events
07/17/2018 10:23:57 [ 1356] [I][LSPoller]DoPolling(ip=0B2810AC, host=KFR/srv05.kfr.local)-->
07/17/2018 10:23:57 [ 1356] [D][CWMIEPPoller]Start to poll Active Directory sessions.
07/17/2018 10:23:57 [ 1308] [I][LSPoller]DoPolling(ip=282810AC, host=KFR/SRV30.kfr.local)-->
07/17/2018 10:23:57 [ 1308] [D][CWMIEPPoller]Start to poll Active Directory sessions.
07/17/2018 10:23:57 [ 1356] [D][WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:57 [ 1356] [D][WMIPoller]Total 0 log event has processed
07/17/2018 10:23:57 [ 1356] [D][EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:57 [ 1356] [I][LSPoller]PackMsg(KEEPALIVE, srv05.kfr.local, 1531815837)
07/17/2018 10:23:57 [ 1356] Bytes received from DC agent(3328): 47 dcagent IP: 0b2810ac, MT=00010000
07/17/2018 10:23:57 [ 1356] dcagent packet: add to queue, called:3328, current:0
07/17/2018 10:23:57 [ 1356] [I][LSPoller]DoPolling(ip=0B2810AC, host=KFR/srv05.kfr.local): r=0
07/17/2018 10:23:57 [ 1308] [D][WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:57 [ 1308] [D][WMIPoller]Total 0 log event has processed
07/17/2018 10:23:57 [ 1308] [D][EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:57 [ 1308] [I][LSPoller]PackMsg(KEEPALIVE, SRV30.kfr.local, 1531815837)
07/17/2018 10:23:57 [ 1308] Bytes received from DC agent(3329): 47 dcagent IP: 282810ac, MT=00010000
07/17/2018 10:23:57 [ 1308] dcagent packet: add to queue, called:3329, current:1
07/17/2018 10:23:57 [ 1308] [I][LSPoller]DoPolling(ip=282810AC, host=KFR/SRV30.kfr.local): r=0
07/17/2018 10:23:57 [ 2600] process_dcagent_events called by worker:2
07/17/2018 10:23:57 [ 2600] dcagent packet: removed from queue, called:3328 remain:1
07/17/2018 10:23:57 [ 2600] get dcagent event from processing queue by worker:2
07/17/2018 10:23:57 [ 2600] [D][Comm]W=002, PDE:HDE(0000000014501800, 0x0B2810AC, 47)-->
07/17/2018 10:23:57 [ 2600] dcagent packet: processed:3328
07/17/2018 10:23:57 [ 1288] process_dcagent_events called by worker:0
07/17/2018 10:23:57 [ 1288] dcagent packet: removed from queue, called:3329 remain:0
07/17/2018 10:23:57 [ 1288] get dcagent event from processing queue by worker:0
07/17/2018 10:23:57 [ 1288] [D][Comm]W=000, PDE:HDE(0000000014501E00, 0x282810AC, 47)-->
07/17/2018 10:23:57 [ 1288] dcagent packet: processed:3329
07/17/2018 10:23:57 [ 2600] logon event(3328): len:47 dc_ip:172.16.40.11 time:1531815837 len:34 data:srv05.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:57 [ 2600] ignore keepalive packet
07/17/2018 10:23:57 [ 2600] [D][Comm]W=002, PDE:HDE(0000000014501800, 0x0B2810AC, 47): r=-1, e=87
07/17/2018 10:23:57 [ 2600] process_dcagent_events returned by worker:2, processed:1
07/17/2018 10:23:57 [ 1288] logon event(3329): len:47 dc_ip:172.16.40.40 time:1531815837 len:34 data:SRV30.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:57 [ 1288] ignore keepalive packet
07/17/2018 10:23:57 [ 1288] [D][Comm]W=000, PDE:HDE(0000000014501E00, 0x282810AC, 47): r=-1, e=87
07/17/2018 10:23:57 [ 1288] process_dcagent_events returned by worker:0, processed:1
07/17/2018 10:23:58 [ 3832] [I][LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local)-->
07/17/2018 10:23:58 [ 3832] [D][CWMIEPPoller]Start to poll Active Directory sessions.
07/17/2018 10:23:58 [ 3832] [D][WMIPoller]query takes 0 milliseconds
07/17/2018 10:23:58 [ 3832] [D][WMIPoller]Total 0 log event has processed
07/17/2018 10:23:58 [ 3832] [D][EPPoller]Finish to poll Active Directory sessions
07/17/2018 10:23:58 [ 3832] [I][LSPoller]PackMsg(KEEPALIVE, srv06.kfr.local, 1531815838)
07/17/2018 10:23:58 [ 3832] Bytes received from DC agent(3330): 47 dcagent IP: 0c2810ac, MT=00010000
07/17/2018 10:23:58 [ 3832] dcagent packet: add to queue, called:3330, current:0
07/17/2018 10:23:58 [ 3832] [I][LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local): r=0
07/17/2018 10:23:58 [ 5108] process_dcagent_events called by worker:14
07/17/2018 10:23:58 [ 5108] dcagent packet: removed from queue, called:3330 remain:0
07/17/2018 10:23:58 [ 5108] get dcagent event from processing queue by worker:14
07/17/2018 10:23:58 [ 5108] [D][Comm]W=014, PDE:HDE(0000000014501E00, 0x0C2810AC, 47)-->
07/17/2018 10:23:58 [ 5108] dcagent packet: processed:3330
07/17/2018 10:23:58 [ 5108] logon event(3330): len:47 dc_ip:172.16.40.12 time:1531815838 len:34 data:srv06.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:58 [ 5108] ignore keepalive packet
07/17/2018 10:23:58 [ 5108] [D][Comm]W=014, PDE:HDE(0000000014501E00, 0x0C2810AC, 47): r=-1, e=87
07/17/2018 10:23:58 [ 5108] process_dcagent_events returned by worker:14, processed:1
07/17/2018 10:23:58 [ 1904] check the cache to send logon events
 

 
Any ideas ?
#10
xsilver_FTNT
Expert Member
  • Total Posts : 359
  • Scores: 61
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: SSO issues/problems 2018/07/31 07:09:38 (permalink)
0
Hi,
 
from collector debug log there seems to be no events polled.
Instead of NetAPI I'd try WinSec polling, this time without WMI.
So Collector will use standard SMB RPC call to read Security event log.
I'd also make sure that Collector process runs under Domain Admins member account to have enough privileges to read WinSec log and do necessary steps. This is default account type recommended.
 
If WinSec will work, then issue is with WMI, so check for any changes to default WMI access settings.
Some details can be found in KB.Fortinet.com http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36039
 

Kind Regards,
Tomas
#11
Armando Gomez Barrios
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/05/18 07:46:09
  • Status: offline
Re: SSO issues/problems 2018/11/07 15:48:31 (permalink)
0
Hello, you managed to solve this problem

I have a problem with the FSSO, your same problem, I would appreciate any support

Best Regrads

Armando Gómez
#12
Jump to:
© 2018 APG vNext Commercial Version 5.5