The Fortinet Single Sign On Agent (FSSO Agent) allows your Fortigate to map IPs to users which is useful/needed for web and other filtering policies. The agent gets installed somewhere (usually a domain controller) and then polls for logon events and keeps a database updated. This works fine, except that it wants to use a domain admin account for everything. If you are working in a hardened environment and want to restrict service account access then there are a few hoops to jump through, so here they are. This guide is not intended for getting your FSSO Agent integrated with your Fortigate, it is just talking about how to get it working with a hardened non-admin account.
Pre-Setup
In my environment we have group policies that make it so domain admins cannot login to workstations. We also deny interactive logon to service accounts. Ideally we don't want the FSSO account to be a domain admin anyways, so we won't be doing that. However, for the initial setup, this is needed. So to start i created a user called FSSO and added it to the following groups: Domain Users, Domain Admins, Service Accounts, and Event Log Readers. Note that Service Accounts is not a built-in group, that is one i created. You can skip this if your environment doesn't require it.
Installation
- Download the FSSO Agent from support.fortinet.com, this install was done with FSSO_Setup_5.0.0295_x64.exe
- Install the FSSO Agent on a domain controller. When prompted for Simple vs Advanced for your directory naming/structure, i use Advanced, but that is up to you and is out of scope of this post.
- Do not use the DC agent, use the option for Polling Mode with sub-option for Check Windows Security Event Logs
Adjustments
- Remove the FSSO account from the Domain Admins group
- Grant the FSSO account full control over the directory C:\Program Files (x86)\Fortinet\FSAE
- Grant the FSSO account full control over registry keys: HKLM\SOFTWARE\WOW6432Node\Fortinet\FSAE and HKLM\SOFTWARE\Fortinet\FSAE