 Help 

Click here
sign-up
Support Forum Knowledge Base  Community Groups  Blogs

FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and
threat intelligence security services from FortiGuard labs to deliver top-rated
protection and high performance, including encrypted traffic.

All Content Search here

Fortinet Community  Knowledge Base  FortiGate  Technical Tip: Restricting a Fortinet Single Sign ...

bmeta Created on Edited on By Article Id

Staff ‎01-16-2015 12:24 PM ‎08-19-2024 07:54 AM Stephen_G 198065

Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO)

This article explains how to restrict a Fortinet Single Sign On Agent Service account. That would go into
best practices for security hardening.

Note:
The term FSAE that is listed here, which stands for 'Fortinet Server Authentication Extension' and is the
same as the Collector Agent or FSSO.

Scope

FortiGate with the Fortinet Single Sign On Agent (also known as the 'Collector Agent').

Solution

The Collector Agent uses its service Fortinet Single Sign On Agent Service (FSSO Agent Service) account
privileges for most of its tasks.

That is why it is important that these services run with least privileges, but still properly configured
permissions, or to understand the limitations it may bring when it is not set properly.

FSSO itself supports several features and modes in order to be flexible to a variety of Microsoft Active
Directory (AD) implementations. Each of its operations modes (for example: DCAgent mode, WinSec
polling, even polling by the FortiGate integrated poller, etc.) and/or features may require different levels
of privileges.
In order to simplify configuration, Fortinet Single Sign On Agent Service is suggested to run with
privileges of a domain admin account. It will assure that whatever mode or feature is selected, it will
have enough permissions to complete its own task.

However, in some cases and scenario, such access may not be allowed or there are security concerns
about using this account.

This article explains when and what permissions are needed, permission workarounds for some modes
and which feature may need to be turned off, where there is not enough access level.
In the examples below, an account called 'fsso-svc' is used.

These tests are based on default group privileges for AD based on Windows Server 2012, which could
vary from other environments, where additional adjustments may be required.

Permission required during installation/uninstall/upgrade:

Collector Agent is required to be installed on a domain member host with a Windows OS. It is not
required to be a Domain Controller (DC). For the supported Windows OS version, please refer to the
release notes of each release. FSSO Agent notes are included in the FortiOS release notes section.

Collector agent installation needs to run with an account that is a member of the local administrators
or domain administrators. The permissions are required for creating local registries, libraries, local
folders, logs, etc.

It is a temporary requirement, however it is needed in order for the installation to complete properly.

After the installation of the agent is completed, the permissions could be reduced or changed with an
account with a 'Domain Users' access level. However, the services account should have full access to the
following registry keys and subkeys:

32bit machine:

[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent]

64bit machine:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent]

For example:
 1. Full Control access level is required for local FSAE folder and subfolders:

C:\Program Files (x86)\Fortinet\FSAE

For example:
Note:
The error NT_STATUS_ACCESS_DENIED (0x80041003) may be encountered in the event viewer after
giving full access to the FSSO service user account for the registry keys mentioned above. This happens
because the change takes effect after a reboot of the Domain Controller.

Note:
After upgrading the Collector Agent, step 1 has to be reapplied. The following steps 2 and 3 are only
valid for the DC Agent mode.
If event log polling is being used instead, these may be skipped.

2. Install/uninstall/upgrade DCAgent module (optional):

DCAgent may be beneficial if the user count is high, for example, several thousand users. Note that with
a DCAgent, the installation and upgrade of the DCAgent require a reboot of the DC. As such, it might be
considerable to use the regular polling mode and not install the DCAgents.
The functionality is the same, but the DCAgents will be more efficient at the 'cost' of maintenance. If the
reboot of the DC is not possible, the DCAgent should not be considered.

If the DCAgent is required for the use case, it is necessary to install the DCAgent module on all DCs that
are in use or will be used for picking up user logons for use with FSSO.

DCAgent installation from or via the Collector Agent is an optional feature, and it requires Collector Agent
services to run with an account with domain administrator's permissions. It needs to connect to remote
DCs to add/modify registry entries and copy DLL file(s) to the Windows system directory.

This requirement could be avoided by manually installing the DCAgent application on each of the DCs.
See the next step.

Manual installation of DCAgent can be started with the DCAgent_Setup at the DC in question.

For example:
DCAgent_Setup_5.0.0314.exe // executable installation file for 32-bit architecture.
DCAgent_Setup_5.0.0314.msi // MSI package for 32-bit architecture.
DCAgent_Setup_5.0.0314_x64.exe // executable installation file for 64-bit architecture.
DCAgent_Setup_5.0.0314_x64.msi // MSI package for 64-bit architecture.
Note:
After the collector agent upgrade, the DCAgent has to be manually upgraded.
An upgrade of the DCAgent will require a reboot as the DCAgent core component is a DLL ('dcagent.dll')
hooked into the system32.

For more information about upgrade instructions:

Note:

The manual installation needs to run with the privileges of an account member of Local Administrators
or Domain Administrators.

3. Limitations when the Collector Agent uses limited access permissions in DCAgent operation mode:

Collector Agent will not be able to check the DCAgent status, thus it is expected to show a '?' next
to DCAgent under 'DC Agent Status"\Select DC to Monitor'.
All DCAgent registry changes like the ignore list have to be updated manually on each DC (for
example: [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\ignore_list]).

This will not prevent DCAgent from sending login events to the Collector Agent.

4. A primary function (common for all operation modes) is the access to the AD and to poll users'
group membership. In these example lab tests the default 'Domain Users' group has such
privileges.
5. Permission restriction in Collector agent with WinSec and WMI modes:

In these modes, the Collector Agent needs to be able to log in to the DC and poll event logs. It requires
the services account to be a member of 'Event Log Reader'.

For example:
 6. 'Event Log Reader' is also required when a FortiGate is configured in polling mode. Note that if the
account is not a member of event log readers, error messages such as below may appear.:

02/21/2024 12:48:48 [ 6576] [E][EPPoller]Could not open the event log

7. Additional restriction in Collector agent configuration.

It is a best practice to include the Collector Agent service account under the 'Ignore User List'. This is a
domain account, but it is not expected that users will use this account.
It also does not require internet access, and login events could be ignored.

For example:

8. Additional AD restrictions to collector service agent account.

The collector agent service account could also additionally be restricted by adding it to Deny Logon
Locally.
This is a services account, and it is not expected to be used by users for login.

For example:
Additional info about this Microsoft option is available on MSDN:
Microsoft documentation: Log on as a service

9. WMI workstation test will not work without a domain admin account, or will not work if the account
is not an admin on all workstations. For workstation checking, the user account must be an admin
on all workstations the Collector Agent is checking. By default, this will be the domain admin. If the
domain admin account cannot be used, the account used must be a local admin on all workstations.

The account also needs to be part of the local groups on the remote machine:
Performance Log Users -> Without this group, the Collector agent can't read the IP address of the
machine.
Remote Desktop Users -> Without this group, the user will erroneously show as no longer being
logged on. This is also required for an RDP session.

View the following Microsoft article for more information about WMI on a remote computer:
Microsoft documentation: Connecting to WMI on a Remote Computer

By the end of this article, it will be clear what is necessary for remote access through WMI. An admin
account is required. Due to User Account Control, the account on the remote system must be a domain
account in the Administrators group. For more information, see User Account Control and WMI.
If WMI access is not set properly, workstations in the Collector Agent will not be verified.

Note:
Some settings are required to restart the Collector Agent service (such as editing thread count in
Collector Agent -> Advanced Settings, the Collector Agent will auto-restart the service after selecting
OK). In such cases, an administrator account is required. It would be good to edit settings with an
administrator account first and then restrict privileges later.

Note:
During the troubleshooting of FSSO issues, a TAC support engineer may ask to try a domain
admin/system account instead of the currently used limited access account.

This is an expected step to test if the issue is related to the granted permission level.

Troubleshooting notes
If a service account is restricted too much, certain behaviors might be observed:
 The Collector Agent log (inside the installation directory of the Collector Agent) does not update
anymore or is not even created.
Various registry error messages.
Severe limitations on the Collector Agent side.
Running the command diag debug app auth -1 may return messages such as the following:

Server challenge:
7b 6e 93 2d 40 37 90 24 0a 00 0e 67 92 2a 82 06
MD5 response:
1b d7 74 10 cd 29 c5 e6 53 2b 6d de a0 c5 d1 1f
_process_auth[FSSO_collector]: server authentication failed, aborting
disconnect_server_only[FSSO_collector]: disconnecting

Connectivity on the FortiGate side is limited. While this is working and a telnet to the Collector
Agent to port 8000 may work (FSAE connected), the FortiGate fails to connect and displays the icon
as red. While this normally indicates a problem with the password, but may also be resolved by
changing the service account.

Related articles:
Technical Tip: Upgrading FSSO Agents
Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
Technical Note: How to enable audit of logon events on Windows Server for FSSO

FortiGate FSSO FSSO Collector Agent Hardening Privileges

104285 4 Suggest New Article Article Feedback

Contributors

 bmeta

Andy_L

lmarinovic

Markus_M

Stephen_G
 ssriswadpong

GiannisChari

Jean-Philippe_P

Anthony_E

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide
comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media

SECURITY RESEARCH COMPANY NEWS & ARTICLES

Threat Research About Us News Releases

FortiGuard Labs Security Fabric News Articles

Threat Map Exec. Mgmt Trademarks

Threat Briefs Careers

Getting Started Resources Events Corporate

Industry Awards Community

Social Responsibility

Copyright 2025 Fortinet, Inc. All Rights Reserved.