SUMMERCOKE77
asked on
Fortigate 5.2.4 FSSO Cannot Authenticate and User Name Not shown in Traffic Log
Dear All,
My environment
Fortigate 100D v5.2.4,build688 (GA)
Active-Passive HA Cluster
Windows 2012 R2 Standard AD Server
I am setting a test policy that required FSSO AD authentication.
I have done the following successfully
1) User & Device->Authentication->LD AP Server created successfully and test was success
2) User & Device->Authentication->Si ngle Sign-On Created sucessfully with AD "Domain Users" user group specified with status connected.
3) FSSO using DC-Agent is installed/Working successfully in my DC, i can see in service status that firewall is connected.
4) In FSSO agent in DC i can see the group filter reflecting the single-sign-on filter specified in 2)
5) Agent AD access mode : standard
Verified from CLI
[FORTIGATE] # diag deb auth fsso server-status
[FORTIGATE] #
Server Name Connection Status Version
----------- ----------------- -------
FORTINET_AGENT1 connected FSSO 5.0.0241
but when i do the following :
[FORTIGATE] # diag deb auth fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
it seems to me that the FSSO agent is not working successfully
i verified the data of the logon users in FSSO Agent
i can retrieve a list of AD users that is logon in my environment.
i can see the firewall is connected in agent installed in DC "Show Service Status"
but when I click "Get NTLM statistic" all reading is 0 ... (see attached picture)
Following is the Log I Extracted from my DC with Agent Installed
========================== ========== ========== ========== ========== ========== ========== ===
01/15/2016 00:02:38 [ 1940] Fortinet Single Sign On Agent version 5.0.0241 starts ...
01/15/2016 00:02:39 [ 1940] error prase file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgen tSyncID.da t
01/15/2016 00:02:48 [ 5376] FortiGate:[FIREWALL_S/N] connected on socket (1496).
01/15/2016 00:02:48 [ 5376] group filter received from FortiGate: len:66
01/15/2016 00:02:48 [ 5376] CN=ITD,CN=Users,DC=[DOMAIN _NAME]
01/15/2016 08:27:14 [ 7636] dump NTLM statistics...
01/15/2016 08:27:14 [ 7636] NTLM message received:0
01/15/2016 08:27:14 [ 7636] NTLM message received(type1):0
01/15/2016 08:27:14 [ 7636] NTLM message received(type3):0
01/15/2016 08:27:14 [ 7636] NTLM message processed:0
01/15/2016 08:27:14 [ 7636] NTLM message processed(type1):0
01/15/2016 08:27:14 [ 7636] NTLM message processed(type3):0
01/15/2016 08:27:14 [ 7636] NTLM message in queue:0
01/15/2016 08:27:14 [ 7636] NTLM request auth OK:0
01/15/2016 08:27:14 [ 7636] NTLM request auth OK, no group:0
01/15/2016 08:27:14 [ 7636] NTLM request auth Failed:0
01/15/2016 08:27:14 [ 7636] NTLM request max process time:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 0 and 1 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 1 and 2 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 2 and 3 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 3 and 4 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 4 and 5 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 5 and 6 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 6 and 7 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 7 and 8 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 8 and 9 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 9 and 10 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM request takes >10 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM request count:0
01/15/2016 08:27:17 [ 7636] dump NTLM statistics...
01/15/2016 08:27:17 [ 7636] NTLM message received:0
01/15/2016 08:27:17 [ 7636] NTLM message received(type1):0
01/15/2016 08:27:17 [ 7636] NTLM message received(type3):0
01/15/2016 08:27:17 [ 7636] NTLM message processed:0
01/15/2016 08:27:17 [ 7636] NTLM message processed(type1):0
01/15/2016 08:27:17 [ 7636] NTLM message processed(type3):0
01/15/2016 08:27:17 [ 7636] NTLM message in queue:0
01/15/2016 08:27:17 [ 7636] NTLM request auth OK:0
01/15/2016 08:27:17 [ 7636] NTLM request auth OK, no group:0
01/15/2016 08:27:17 [ 7636] NTLM request auth Failed:0
01/15/2016 08:27:17 [ 7636] NTLM request max process time:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 0 and 1 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 1 and 2 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 2 and 3 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 3 and 4 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 4 and 5 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 5 and 6 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 6 and 7 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 7 and 8 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 8 and 9 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 9 and 10 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM request takes >10 seconds to process:0
what went wrong here ?
any pointer ?
NTLM.png
ServiceStatus.png
GroupFilter.png
AD-Access-Mode.png
My environment
Fortigate 100D v5.2.4,build688 (GA)
Active-Passive HA Cluster
Windows 2012 R2 Standard AD Server
I am setting a test policy that required FSSO AD authentication.
I have done the following successfully
1) User & Device->Authentication->LD
2) User & Device->Authentication->Si
3) FSSO using DC-Agent is installed/Working successfully in my DC, i can see in service status that firewall is connected.
4) In FSSO agent in DC i can see the group filter reflecting the single-sign-on filter specified in 2)
5) Agent AD access mode : standard
Verified from CLI
[FORTIGATE] # diag deb auth fsso server-status
[FORTIGATE] #
Server Name Connection Status Version
----------- ----------------- -------
FORTINET_AGENT1 connected FSSO 5.0.0241
but when i do the following :
[FORTIGATE] # diag deb auth fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
it seems to me that the FSSO agent is not working successfully
i verified the data of the logon users in FSSO Agent
i can retrieve a list of AD users that is logon in my environment.
i can see the firewall is connected in agent installed in DC "Show Service Status"
but when I click "Get NTLM statistic" all reading is 0 ... (see attached picture)
Following is the Log I Extracted from my DC with Agent Installed
==========================
01/15/2016 00:02:38 [ 1940] Fortinet Single Sign On Agent version 5.0.0241 starts ...
01/15/2016 00:02:39 [ 1940] error prase file header:C:\Program Files (x86)\Fortinet\FSAE\TSAgen
01/15/2016 00:02:48 [ 5376] FortiGate:[FIREWALL_S/N] connected on socket (1496).
01/15/2016 00:02:48 [ 5376] group filter received from FortiGate: len:66
01/15/2016 00:02:48 [ 5376] CN=ITD,CN=Users,DC=[DOMAIN
01/15/2016 08:27:14 [ 7636] dump NTLM statistics...
01/15/2016 08:27:14 [ 7636] NTLM message received:0
01/15/2016 08:27:14 [ 7636] NTLM message received(type1):0
01/15/2016 08:27:14 [ 7636] NTLM message received(type3):0
01/15/2016 08:27:14 [ 7636] NTLM message processed:0
01/15/2016 08:27:14 [ 7636] NTLM message processed(type1):0
01/15/2016 08:27:14 [ 7636] NTLM message processed(type3):0
01/15/2016 08:27:14 [ 7636] NTLM message in queue:0
01/15/2016 08:27:14 [ 7636] NTLM request auth OK:0
01/15/2016 08:27:14 [ 7636] NTLM request auth OK, no group:0
01/15/2016 08:27:14 [ 7636] NTLM request auth Failed:0
01/15/2016 08:27:14 [ 7636] NTLM request max process time:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 0 and 1 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 1 and 2 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 2 and 3 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 3 and 4 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 4 and 5 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 5 and 6 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 6 and 7 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 7 and 8 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 8 and 9 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM requests takes between 9 and 10 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM request takes >10 seconds to process:0
01/15/2016 08:27:14 [ 7636] NTLM request count:0
01/15/2016 08:27:17 [ 7636] dump NTLM statistics...
01/15/2016 08:27:17 [ 7636] NTLM message received:0
01/15/2016 08:27:17 [ 7636] NTLM message received(type1):0
01/15/2016 08:27:17 [ 7636] NTLM message received(type3):0
01/15/2016 08:27:17 [ 7636] NTLM message processed:0
01/15/2016 08:27:17 [ 7636] NTLM message processed(type1):0
01/15/2016 08:27:17 [ 7636] NTLM message processed(type3):0
01/15/2016 08:27:17 [ 7636] NTLM message in queue:0
01/15/2016 08:27:17 [ 7636] NTLM request auth OK:0
01/15/2016 08:27:17 [ 7636] NTLM request auth OK, no group:0
01/15/2016 08:27:17 [ 7636] NTLM request auth Failed:0
01/15/2016 08:27:17 [ 7636] NTLM request max process time:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 0 and 1 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 1 and 2 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 2 and 3 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 3 and 4 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 4 and 5 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 5 and 6 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 6 and 7 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 7 and 8 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 8 and 9 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM requests takes between 9 and 10 seconds to process:0
01/15/2016 08:27:17 [ 7636] NTLM request takes >10 seconds to process:0
what went wrong here ?
any pointer ?
NTLM.png
ServiceStatus.png
GroupFilter.png
AD-Access-Mode.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks!