Question:

I’m facing challenges in a secure environment where the FSSO agent attempts to connect via IP for WMI checks instead of hostname, preventing Kerberos authentication. Consequently, the FortiGate views active users as timed out. Despite observing successful Kerberos network logins from the FSSO agent’s IP on the workstation event logs, simultaneous NTLM attempts fail due to security policies against incoming NTLM traffic, leading to the workstation being marked as ‘not verified’ by the FSSO agent.

In environments where NTLM is permitted, the FSSO functions correctly but raises security concerns due to constant NTLM authentication requests, which could potentially expose admin-level access through NTLM relay attacks.

Given these circumstances, how can one securely implement the FSSO collector agent?”

Answer:

The Fortinet Single Sign-On (FSSO) collector agent is a critical component for identifying user activity and facilitating web filtering. However, deploying it securely can be challenging, especially when Kerberos authentication is required. This article explores the difficulties and offers solutions for securely implementing the FSSO collector agent.

Introduction:

In secure environments, the FSSO collector agent’s reliance on IP addresses for Windows Management Instrumentation (WMI) checks, rather than hostnames, can impede Kerberos authentication. This issue leads to FortiGate firewalls inaccurately timing out active users. Additionally, the agent’s fallback to NTLM authentication poses security risks, as it can be exploited through NTLM relay attacks.

The Core Issue:

The crux of the problem lies in the FSSO agent’s design, which does not account for environments where NTLM is restricted. When Kerberos authentication fails due to the agent’s IP-based WMI checks, the subsequent NTLM attempt is blocked by security policies, causing the agent to erroneously time out the workstation.

Potential Solutions:

To address these challenges, consider the following strategies:

1.

DNS Resolution Enhancement:

Implement DNS resolution improvements within the network to ensure that the FSSO agent can reliably resolve hostnames to IP addresses, facilitating Kerberos authentication.

2.

Agent Configuration Adjustments:

Modify the FSSO agent’s configuration to prioritize hostname-based WMI checks. This may require collaboration with Fortinet support to adjust the agent’s behavior.

3.

Network Policy Updates:

Review and update network policies to allow for exceptions where the FSSO agent’s NTLM traffic is permitted, but only from known, secure sources.

4.

Security Hardening:

Harden security by implementing additional layers of authentication and monitoring for NTLM traffic to detect and prevent relay attacks.

5.

Alternative Authentication Methods:

Explore alternative authentication methods that do not rely on NTLM, such as OAuth or SAML, which may be supported by Fortinet in certain configurations.

Conclusion:

Securing the FSSO collector agent in an environment that restricts NTLM requires a multifaceted approach. By enhancing DNS resolution, adjusting agent configurations, updating network policies, hardening security, and considering alternative authentication methods, organizations can overcome the challenges and deploy the FSSO collector agent securely.

Disclaimer:

This article provides general advice. Specific technical steps should be developed in collaboration with IT security professionals and in accordance with organizational policies and Fortinet’s guidelines.