Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff
Staff

Created on ‎04-24-2019 03:07 AM

Article Id 197780

Technical Note: Workstation hostname character limit with FSSO scenario

Purpose
This article describes the workstation hostname character limit while using FSSO authentication.

Scope
While using FSSO authentication, FSSO collector agent will resolve the hostname to IP address. During this process workstation hostname characters should not exceed 15 characters, if it exceeds the DNS resolution will fail.

Expectations, Requirements
FSSO configuration on FortiGate and FSSO collector agent is configured and working fine.

User from 10.40.9.42 will try to log in to the domain controller, the IP and hostname are as follows:

Windows IP Configuration:
   Host Name . . . . . . . . . . . . : boson-kvm42-12345
   Primary Dns Suffix  . . . . . . . : dubailab.lab
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : dubailab.lab

   IPv4 Address. . . . . . . . . . . : 10.40.9.42(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 10.40.4.123
   DHCPv6 IAID . . . . . . . . . . . : 50356847
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-AC-58-17-00-62-6F-73-2A-01
   DNS Servers . . . . . . . . . . . : 10.40.9.78
                                       8.8.8.8
When user logs in from 10.40.9.42 to Domain controller 10.40.9.78, the DNS records is as follows:



From the FSSO collector agent logs:
resolve_ip_internal: workstation:BOSON-KVM42-123.dubailab.lab [10.40.9.42:0.0.0.0] time:0
04/24/2019 13:18:11 [ 5168] after DNS_checking:BOSON-KVM42-123.dubailab.lab
From the DC agent logs:
4/24/2019 13:14:05.776: processing Logon (level=1, logonid=0-0) DUBAILAB\BOSON-KVM42-123$ (BOSON-KVM42-123$) from BOSON-KVM42-123
machine account:BOSON-KVM42-123$ is ignored.
FSSO is not taking more than 15 characters.

There is a limitation in FSSO with a workstation name character limit of 15. If it is longer than15, it will remove the rest and perform an NSLOOKUP of the workstation name on the first 15 characters.

Labels:
2788
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.