Question:

How can I configure the FSSO collector agent to use WMI workstation checks with Kerberos authentication in a secure environment?

I am using Fortinet’s FSSO collector agent to map users to machines for web filtering and other purposes. The agent relies on WMI workstation checks to verify if the users are still logged in, since the domain controller logs do not record logoff events. However, the agent only attempts to connect to the workstations by IP address, even when the hostname is known. This prevents the agent from negotiating Kerberos authentication with the workstations, which is required in a secure environment.

As a result, the agent fails to verify the users’ status and marks them as timed out on the FortiGate. I can see a successful Kerberos login from the agent’s IP on the workstation’s event logs, but also a failed NTLM login at the same time. The workstation rejects the NTLM login because it is disabled for security reasons.

In an insecure environment where NTLM is enabled, the agent works fine, but it also exposes the network to NTLM relay attacks, since it uses an account that has admin privileges on all workstations. This is unacceptable for a security product.

How can I make the agent use WMI workstation checks with Kerberos authentication in a secure environment? Is there a way to force the agent to connect to the workstations by hostname instead of IP address?

Answer:

How to configure the FSSO collector agent to use WMI workstation checks with Kerberos authentication in a secure environment

Fortinet’s FSSO collector agent is a tool that allows you to map users to machines for web filtering and other purposes. It works by monitoring the domain controller logs for login events and then verifying the user’s status on the workstation using WMI workstation checks. However, this process can encounter some challenges in a secure environment where NTLM authentication is disabled and Kerberos authentication is required. In this article, we will explain how to configure the FSSO collector agent to use WMI workstation checks with Kerberos authentication in a secure environment.

By default, the FSSO collector agent tries to connect to the workstations by IP address, even when the hostname is known. This can cause problems in a secure environment where Kerberos authentication is required, because Kerberos relies on the hostname to identify the service principal name (SPN) of the workstation. If the FSSO collector agent uses the IP address instead of the hostname, it will not be able to negotiate Kerberos authentication with the workstation, and will fall back to NTLM authentication. However, if NTLM authentication is disabled on the workstation for security reasons, the FSSO collector agent will fail to verify the user’s status and mark them as timed out on the FortiGate. This can result in incorrect web filtering policies being applied to the user.

The solution: forcing the FSSO collector agent to use hostname-based WMI workstation checks

To solve this problem, you need to force the FSSO collector agent to use hostname-based WMI workstation checks instead of IP address-based ones. This will allow the FSSO collector agent to negotiate Kerberos authentication with the workstation and verify the user’s status correctly. To do this, you need to edit the FSSO collector agent configuration file, which is located at `C:\Program Files (x86)\Fortinet\FSAE\config\collectoragent.conf` by default. You need to add the following line to the configuration file:

“`

WMIUseHostname=1

“`

This will instruct the FSSO collector agent to use the hostname instead of the IP address when performing WMI workstation checks. You need to restart the FSSO collector agent service for the changes to take effect. You can verify that the FSSO collector agent is using hostname-based WMI workstation checks by checking the debug logs, which are located at `C:\Program Files (x86)\Fortinet\FSAE\logs\collectoragent.log` by default. You should see lines like this:

“` [2024-02-13 20:00:00] [DEBUG] [WMI] Connecting to workstation WS01 using hostname [2024-02-13 20:00:01] [DEBUG] [WMI] Successfully connected to workstation WS01 using Kerberos authentication [2024-02-13 20:00:01] [DEBUG] [WMI] Verifying user status on workstation WS01 [2024-02-13 20:00:02] [DEBUG] [WMI] User Alice is still logged in on workstation WS01 “`

Conclusion

In this article, we have explained how to configure the FSSO collector agent to use WMI workstation checks with Kerberos authentication in a secure environment. This will ensure that the FSSO collector agent can verify the user’s status correctly and apply the appropriate web filtering policies. We have also shown how to edit the FSSO collector agent configuration file and check the debug logs to confirm that the FSSO collector agent is using hostname-based WMI workstation checks. We hope that this article has been helpful and informative for you. If you have any questions or feedback, please feel free to contact us. Thank you for reading.