Hot!Poll Active Directory issue after installed the Windows Server update KB5004948

Author
clicerioneto
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/31 03:38:27
  • Status: offline
2021/07/13 07:57:07 (permalink) 6.2
0

Poll Active Directory issue after installed the Windows Server update KB5004948

Hi,
 
After applied Windows cumulative update KB5004948 in my environment, the Poll Active Directory is appearing the following error:

# diagnose debug fsso-polling detail 1
AD Server Status(err: server can not be accessible):
 
The Fortigate is running with FortiOS 6.2.9.
 
I have opened a ticket with Fortinet support, but I didn't receive yet a reply about the solution to fix this issue.
 
Someone is with this same issue or has a solution to solve it?
#1

18 Replies Related Threads

    Donnei Tsai
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/05 18:41:52
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/18 23:06:14 (permalink)
    0
    We also have the same issue. but still not resolve. Will call Fortinet Support help to check
    #2
    bbilut
    Bronze Member
    • Total Posts : 31
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/07/29 07:01:03
    • Location: Chicago Area
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 06:37:24 (permalink)
    0
    Same issue here.
     
    When I look at my domain controller security logs it looks like the login ID is not being reported. It just says NULL SID where the userID should be. Like I said problem started after applying July patches to my DC's.
    post edited by bbilut - 2021/07/19 06:38:39
    #3
    eti_andrei
    Bronze Member
    • Total Posts : 10
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/10/03 05:19:03
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 06:41:02 (permalink)
    0
    This was fixed in the latest FortiAuthenticator release, so hopefully the same fix will be coming to FortiOS shortly.
    #4
    bbilut
    Bronze Member
    • Total Posts : 31
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/07/29 07:01:03
    • Location: Chicago Area
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 06:48:54 (permalink)
    0
    Seems like a Microsoft issue to me.
     
    When I look at event logs on domain controller the 4624 events show "NULL SID" as the user now. So FSSO can't really get the info it needs. That's at least what I'm seeing.
    #5
    bbilut
    Bronze Member
    • Total Posts : 31
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/07/29 07:01:03
    • Location: Chicago Area
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 10:03:01 (permalink)
    0
    After reading this article about changes MS made in the June patch I figured out my issue
    https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5003637-update-may-block-remote-access-to-event-logs/
     
    I had to patch my FSSO server up to July patch level for it to be able to read remote event logs from my 3 domain controllers which were also at the July patch level.
    #6
    clicerioneto
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/31 03:38:27
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 10:24:11 (permalink)
    0
    I have updated the Windows 2016 servers with the last patch - 2021-07 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5004238), but the issue is not solved. 
     
    I'm waiting for Fortinet support about the solution. 
    #7
    bbilut
    Bronze Member
    • Total Posts : 31
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/07/29 07:01:03
    • Location: Chicago Area
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 11:51:02 (permalink)
    0
    Your DC's and your FSSO server(s) are patched to July level, both?
    #8
    clicerioneto
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/31 03:38:27
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 13:25:18 (permalink)
    0
    I don't use FSSO agent. I only use Poll Active Directory configuration (agentless). The communication is just between DC and Fortigate. My DC's are with the last patch.
    #9
    bbilut
    Bronze Member
    • Total Posts : 31
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/07/29 07:01:03
    • Location: Chicago Area
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 14:06:41 (permalink)
    0
    Since Microsoft hardened the process in how remote event logs are viewed and your doing agentless config I think you only have two options. Setup FSSO collector agent on a Windows Server with June or higher patch or wait for Fortinet to update FortiOS with a fix for Microsoft's changes. Who knows when that will be.
    #10
    Donnei Tsai
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/05 18:41:52
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/19 18:29:58 (permalink)
    0
    Hi, Can you share what's Fortinet's product has been fix this issue? have any documents?  Thanks
    #11
    Donnei Tsai
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/05 18:41:52
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/07/20 23:39:08 (permalink)
    0
    The fortinet support tell us. The issue are a known issue. and the bug ID for this is 725056. 
    now is under research and develop fix. FYI
    #12
    xsilver_FTNT
    Expert Member
    • Total Posts : 606
    • Scores: 163
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/08/12 23:34:35 (permalink)
    0
    That's what I and others found out so far...
    Those who opened ticket on Fortinet TAC should know already .. so this is a bit of data for others.
     
    In short, those Microsoft patches KB5003646 / KB5003638 / KB5003696 .. and later on Cumulative updates (including those temporary patches), broke FSSO polling from FortiGate and FortiAuthenticator as they changed the way how outer apps can access WinSec data through MSFT API. One sided act.
    Affected are all patched versions of MSFT servers .. 2019 - KB5003646 / 2016 - KB5003638 / 2012 - KB5003696 / KB5003638.
    https://support.microsoft.com/en-us/topic/june-8-2021-kb5003646-os-build-17763-1999-81e2ff5a-0769-4e56-8762-059dd6e0d6bb
     
    FortiAuthenticator was handled in #0725129 bug report
    - fixed since 6.3.2 / 6.4.0
    - note that those new versions like 6.3.2 should work OK with patched DCs only. Not working with unpatched DCs !
    - because that MSFT patch is expected/claimed to stay permanently so more and more DCs is expected to be patched
     
    FortiGate local poller was handled in #0725056 bug report
    - fixed In  6.2.10 / 6.4.7 / 7.0.2
     
     Win2016 Cumulative update KB5004238 which should now (since release date 2021-0713)  include KB5003638 (according to MSFT Updates catalog change notes)
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB5003638
    (
    Removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for CVE-2020-17049. For more information and steps to enable full protection on domain controller servers, see Managing deployment of Kerberos S4U changes for CVE-2020-17049.
    )

    Tom xSilver, planet Earth, over and out!
    #13
    Tukan
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/19 15:23:34
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/08/19 15:26:51 (permalink)
    0
    Hi All,
     
    I see we are not the only ones stuck with this issue. Since neither 6.2.10 or 6.4.7 are yet released would anybody on the forum here know the release date for 6.2.10 (for 400E)? I need to know what to say to the customer. I don't want to go back to the FSSO agent :(
     
    Many Thanks,
     
    #14
    xsilver_FTNT
    Expert Member
    • Total Posts : 606
    • Scores: 163
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/08/20 00:12:34 (permalink)
    0
    Tukan
    I don't want to go back to the FSSO agent :(

     
    Why not?
    To be honest, for small company with just few users (<20) it might be OK to use direct polling from FGT.
    But for anything bigger, serious, or with higher logon rate I would definitely go for standalone Collector Agent.
    Because it seems to me better solution as:
    - it has no issue as it is part of domain member machine
    - DNS and data about workstations resolved locally on machine (while you still have option for alternative DNS servers)
    - has its own resources and do not add extra load on FGT RAM/CPU, so FW can do firewalling and not babysitting/gathering of the user data
    - scalable and resilient, while only resiliency on FGT is HA
    - various user data gathering methods and logging, not just hardcoded WinSec
    - various timers on how to handle logons, like dead entries etc.  where FGT has just polling interval AFAIK
    - LDAP cache management
    - free of charge
     
    If I'd sort SSO solutions by preference:
    1. FAC (FortiAuthenticator) + FortiClient SSOMA (but FAC is paid solution + you'd need license for SSOMA, but that's best solution IMHO where you can get most accurate SSO data)
    2. FAC SSO .. no SSOMA agents on workstations, but still VERY versatile collector inside FAC
    3. standalone Collector Agent .. and methods by preference 1. WinSec+WMA 2. WinSec 3. DCAgents .. rest like NetAPI is legacy.
    4. FGT .. and I would opt for RSSO if possible and use FSSO direct polling as last resort.
     
    So in short, standalone collector is pretty good and stable solution (free of charge, no licenses, no extra HW/VM).
    Best solution for no extra money.
     

    Tom xSilver, planet Earth, over and out!
    #15
    Tukan
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/19 15:23:34
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/08/23 01:37:04 (permalink)
    0
    Hi XSilver,
     
    Problem was that we wanted to reduce costs which have been repeated (and not paid for by client) after we had to upgrade each DC agent on multiple sites to match the Firewall OS version. We have a habit to upgrade FortiOS when we can to latest stable release for security reasons with pretty much all the clients and worrying about update of DCAgent updates have lead to decision to go LDAP agentless. The idea was that only FortiGate Upgrade needs to happen, no more. That is why we decided to use LDAP. The site has more than 20 users but we have had no issues with accuracy of LDAP agent-less until now. I do understand your points, but we will stick to agent-less until we run into requirement it cannot fulfill.
     
    To supplement your info this is what I got from TAC today. The info might be handy for some techs here:
     
    The releases are planned (!) for:
     
    6.4.7 beginning of September
     
    7.0.2 beginning of October
     
    6.2.10 for the beginning of November
     
    Please keep in mind that these are planned only, the releases could be delayed
     
    Good luck,
     
     
    #16
    TecnetRuss
    Silver Member
    • Total Posts : 59
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/27 13:14:44
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/08/30 13:54:10 (permalink)
    5 (1)
    FortiOS 6.4.7 has been released and includes the Polling fix:
    FortiOS Release Notes | FortiGate / FortiOS 6.4.7 | Fortinet Documentation Library
     
    725056
    FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).
     
    Note however that there's another Polling issue still listed under Known issues:
     
    722234
    FSSO AD polling mode connector does not work with LDAPS.
     
    Russ
    NSE7
    #17
    xsilver_FTNT
    Expert Member
    • Total Posts : 606
    • Scores: 163
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/09/13 04:28:08 (permalink)
    0
    Thanks for reminder about FOS 6.4.7.
    List of fixed versions of FortiOS and FortiAuthenticator in my post from 13th August.

    Tom xSilver, planet Earth, over and out!
    #18
    xsilver_FTNT
    Expert Member
    • Total Posts : 606
    • Scores: 163
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Poll Active Directory issue after installed the Windows Server update KB5004948 2021/09/20 04:36:18 (permalink)
    0
    Tukan
    Problem was that we wanted to reduce costs which have been repeated (and not paid for by client) after we had to upgrade each DC agent on multiple sites to match the Firewall OS version.



    I was reading some older posts and that quite common misunderstanding caught my attention.
     
    If there is FortiGate (FGT in short) talking via FSSO protocol to some Collector Agent (multiple FGTs and multiple Collectors possible).
    Then they are suggested to roughly match the versions.
    Which means that if you had FGT version 5 or 6, you should have Collector of version 5 at least.
    If you have nowadays FGT version 6 or freshly released 7.x then you should use Collector of version 6.
     
    Think about it in intentions of interoperability, like if the Collector would be for example RADIUS or LDAP server.
    Yes, Collector does evolve over the time as FSSO protocol also evolve.
    But FortiOS and Collector agents are independent entities!
     
    And so generally speaking ANY FortiOS 6.x can talk to ANY Collector running on 6.x version and there are no problems expected.
     
    Yes, FortiOS Release Notes does contain interoperability section. And FSSO version is mentioned there.
    But that is latest tested version (as FortiOS and FSSO are usually released together).
    It is also fully supported version. However it does not mean that older versions will not work.
     
    What is more important is to keep Collector and agents on the same version !
    As those FSSO elements interact more often and carry more info between each other.
    Communication towards FGT is more standardized and more or less same for years.
    The only differences coming in are new features like FortiNAC or FortiEMS tags being delivered to FGT over FSSO.
    But if you would not need those features or you run older version of Collector, it will simply not offer just that single particular feature to FGT.
    Anything else, and older, is supposed to work as before.

    Tom xSilver, planet Earth, over and out!
    #19
    Jump to:
    © 2021 APG vNext Commercial Version 5.5