FSSO couldn't capture AD logon users

cstan1989 · ‎12-25-2017

Hi everyone,

I need urgent help regarding FSSO issues, below is some explanation:

Environment:

Domain Controller - 2 domain controller server, both have installed collector agent and DC agent, configure as DC mode. (During installation, logon account have domain admin right) - After installation complete, FSSO account admin right was removed but granted as member of event log reader group.

Fortigate

- Firmware: v5.4.6

- LDAP have added both domain controller server and account test result is successful. - Single sign on have add both domain controller IP address and pre-shared password.

Issue: - FSSO service in domain controller server unable to start automatic after server reboot. - Manually start the service.. Pass. - When click on show logon users, screen freeze for a while and no users are display..

Diagnose:

Execute below command in fortigate:

diag debug enable diagnose debug application authd 8256

Output:

Can refer attachment or picture below

Noted: If i assign admin right permission to FSSO account, FSSO will work as normal. But this doesn't meet my requirement.

Appreciate your opinion and help..

Thanks !!!

xsilver_FTNT · ‎12-27-2017

Hi,

so far it sounds like access rights issue on Collector Agents.

I would suggest, at least for test, to uninstall the Collector from the DC.

Then login to DC as user with Domain Admins membership & rights, and install Collector again.

If you want to run Collector under specific account, which is reasonable, then make sure that account is Domain Admins group member.

All your issues should be gone.

If you still need to strip down access rights for the account running the Collector, then make sure this account has read&write (or Full) access to Collector stuff, like registry and folder in Program Files.

Issues like you have described with access to user list might be related to inability to read and write logon cache stored as file in Collector's home folder. To see more, turn Log level to Debug, increase log size to 20-50 MB, and restart Collector. If there are some issues to access Collector's files it should be written into the log. Like the one referenced in another forum post ..

https://forum.fortinet.com/tm.aspx?m=144224&tree=true

Additionally check Fortinet KB, there was article on stripping down access rights and what is necessary to be done for folders, registries, WMI config etc.

It's not that simple as choose another user account, as Collector process system data and therefore need certain level of elevated access rights.

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

cstan1989 · ‎01-14-2018

Hi Tomas,

With domain admin right, my issue all is gone.

However, my customer doesn't want to permit admin right to that account. After the admin right been removed, FSSO no longer able to capture AD users. I have turn debug mode on and getting results as below:

01/09/2018 11:44:06 [11028] Fortinet Single Sign On Agent version 5.0.0264 starts ... 01/09/2018 11:44:06 [11028] error parsing file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgentSyncID.dat 01/09/2018 11:44:12 [ 8952] FortiGate connection failed, wrong password. 01/09/2018 11:44:13 [ 8952] FortiGate:10.160.0.2 on socket (1548) disconnected 01/09/2018 11:44:22 [ 1500] FortiGate connection failed, wrong password. 01/09/2018 11:44:23 [ 1500] FortiGate:10.160.0.2 on socket (1552) disconnected 01/09/2018 11:44:31 [ 6472] FortiGate connection failed, wrong password. 01/09/2018 11:44:32 [ 6472] FortiGate:127.0.0.1 on socket (1556) disconnected 01/09/2018 11:44:32 [ 7812] FortiGate connection failed, wrong password. 01/09/2018 11:44:33 [ 7812] FortiGate:10.160.0.2 on socket (1548) disconnected 01/09/2018 11:44:42 [ 4684] FortiGate connection failed, wrong password.

Thanks.