Re: Active Directory Fabric Connector and logouts ?
it depends on where is your connector connecting to.
Generally speaking we have 3 ways how to get FSSO from AD logons.
Those logons are pre-processed by something called Collector Agent.
And there is:
1. one collector agent built right into FortiGate/FortiOS as local poller. I would suggest to use it as light solution for POC or very small deployments.
2. standalone Collector Agent, which has to be installed on DC or Domain member server class computer. That's my preferred choice as it's free of charge, scale-able and very robust solution. Suitable even for big/enterprise grade deployments.
3. collector agent built into FortiAuthenticator .. great but paid solution for enterprise grade deployments.
Those from 2 and 3 can use Windows API called WMI to detect logouts, but generally MS kind of lack a logout events a bit. So solutions like standalone Collector (2) uses periodic workstation checks to test if user's hive creds are still present on workstation and this way assuming user is still logged on. Once he logs out, test detects that and so Collector will remove FSSO User record, and propagate that change to connected FortiGate units.
This possible delay after logout and it's detection is one of technical limitations of MS events and IP based FSSO auth.