FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jposada
Staff
Staff
Article Id 193075
Description
This article describes how Active Directory (AD) Login messages are over written by the FSSO Collector Agent (CA) when FortiGate authentication with LDAP and AD FSSO are configured on the Windows AD Server.

With FortiGate FSSO, if a user cannot be authenticated by a Windows Active Directory Domain but can be authenticated by LDAP a new logon event is sent to the FSSO Collector Agent (CA). 

The CA User Monitor will show the:
- Authenticated LDAP user
- Same user as FSSO
- IP address of the LDAP server (e.g. 10.5.0.12)
Example:
CA Logon users list before the LDAP authentication event:


jposada_fsso_ca_logon_user_before.jpg

CA Logon users list after the LDAP authentication event:

jposada_fsso_ca_logon_user_after.jpg

FortiGate User Monitor List after the authentication:

jposada_fsso_fgt_auth_users.jpg




Solution
To override the original logon entry in the FSSO CA  the option enable "Disable RDP Override" in the FSSO CA.

This will avoid capturing the logon event that Windows AD generates when LDAP authentication.

Note
:
If no AD user entry exists in  the FSSO CA, the AD user account is ignored by the CA and a new entry will be shown - LDAP user logged on the AD DC Server


In the FSSO CA: Show Monitored DCs -> Select DC to Monitor and enable "Disable RDP Override"


jposada_disable_rdp_override.jpg




Contributors