Re: FSSO Multiple DC's HELP
maybe you should first figure out where is the issue. Is the user seen on Collector ? on FortiGate ?
Chain is that DCAgents talk to Collector Agent which talk to FortiGates.
So work this from source Workstation to DC to Collector and finally to FortiGate.
And that should give you ide where the issue appear. Skip unnecessary steps. So for example if you have the logon with correct groups on Collector and not on FortiGate, skip all checks till Collector and focus on Group Filter. As if you see logged on user on Collector and not on FortiGate, user did not matched the filter and was not pushed to FortiGate.
From the start :
- what is "echo %logonserver%" result on workstation ? This is the server where %username% authenticated itself (DC)
- is on that DC DCAgent ?
- did the DCAgent seen the logon and reported to Collector ?
- check DCAgent config and see where it points to (Collector(s)), turn on logging if needed
(?) WHERE TO Check ? In registry. Which registry ? Export config from Collector and have a look into file, as the HKLM links to respective registry records are exactly there.
- So maybe DCAgent seen logon, processed it to Collector - > what is on Collector ?
- turn on log to debug level, size 50MB and check. Did DCAgent reported to Collector.
- is the user seen on Collector ?
- did Collector gathered IP from DNS or from DCAgent
- did Collector gathered user's group membership from LDAP ?
- does the group membership match any Group Filter to any FortiGate ? (because if not, the user is useless to process as none of the FortiGate will utilize such record).
- finally, is the user on FortiGate and does he match to any fsso-type user group used in policies ?
- helpful commands
diag debug reset
diag debug en
diag debug authd fsso server-status
diag debug auth fsso list
diag fire auth list
diag wad user list