FortiGate SSO users using RODC

Author
robinct
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/24 23:57:54
  • Status: offline
2019/08/27 02:28:14 (permalink)
0

FortiGate SSO users using RODC

I'm at initial setup of FortiGate SSO. I'm currently using the option with an installed Collector Agent that are polling our DC's.
 
The problem comes when users are logging in to one of the RODC's, and the client are getting the workstation IP of the RODC, instead of their respective workstations.
 
Would installing DC agents solve this, or is there another way around this?
#1

3 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 432
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FortiGate SSO users using RODC 2019/08/28 00:51:15 (permalink)
    0
    I would try to put IP addresses of RODC servers to FSSO registry key "dc_agent_ignore_ip_list" of Collector.
    Which supposed to be )on 64bit system) in [HKEY_LOCAL_MACHINE\software\WOW6432Node\fortinet\fsae\collectoragent]

    Kind Regards,
    Tomas
    #2
    robinct
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/24 23:57:54
    • Status: offline
    Re: FortiGate SSO users using RODC 2019/08/28 03:07:45 (permalink)
    0
    xsilver
    I would try to put IP addresses of RODC servers to FSSO registry key "dc_agent_ignore_ip_list" of Collector.
    Which supposed to be )on 64bit system) in [HKEY_LOCAL_MACHINE\software\WOW6432Node\fortinet\fsae\collectoragent]



    Thanks. Found the key. Tested briefly for a couple of hours, and the only difference seems to be that the users aren't being registered at all now. I will leave it running for a while longer
    #3
    xsilver_FTNT
    Expert Member
    • Total Posts : 432
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FortiGate SSO users using RODC 2019/08/28 07:35:32 (permalink)
    5 (1)
    There is KB https://kb.fortinet.com/kb/documentLink.do?externalID=FD36364
    and old blog post of MSFT on how RODC works .. https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authentication/
    It's a bit old post but I guess that there is not much of a new stuff since then.
     
    So, as RODC is basically cache for logons and read-only, then if user authenticates locally, it might NOT generate any event, but if user is not cached (pre-cached as described in MSFT post) then logon is proxied from RODC to writable DC. And as originator is RODC then I gues sthis is reason why writable DC has RODC as 'workstation' where user logged in. Pre-cached passwords on RODC via admin action and then kept by password replication policy might help.


    I'm referring to part:
    "When a user authenticates to an RODC a check is performed to see if the password is cached. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached, then the RODC forwards the authentication request to a writable Windows Server 2008 Domain Controller which in turn authenticates the account and passes the authenticated request back to the RODC."

    Kind Regards,
    Tomas
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5