Fortinet black logo

Administration Guide

SSO

SSO

FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensure there is a connection to the different components when troubleshooting.

Domains

To monitor SSO domains, go to Monitor > SSO > Domains. Select Refresh to refresh the domain list. Select Expand All to expand all of the listed domains, or Collapse All to collapse the view.

All configured domain controllers appear in the domain list. Each domain controller is displayed in:

  • green if the last connection attempt was successful.
  • gray if no recent connection information is available.
  • red if the last connection attempt failed.

Hold the pointer over a domain controller to view the status of the last LDAP query, how long ago it was, and the LDAP query's response time in milliseconds (ms). This response time will show a warning icon if the highest recent response time is above 500 ms.

In addition, you can click on the domain controller entry to view statistics for the 100-most recent LDAP queries. The listed response times are color coordinated as follows: green for less than 500 ms, orange for between 500 and 1000 ms, and red for more than, or equal to, 1000 ms.

SSO sessions

To monitor SSO sessions, go to Monitor > SSO > SSO Sessions. Users can be manually logged off of if required.

The following information is available:

Refresh Refresh the SSO sessions list.
Logoff All Log off all of the connected users.
Logoff Selected Log off only the selected users.
Search Enter a search term in the search field, then select Search to search the SSO sessions list.
Filter

Filter the SSO session list by the source of the connection and/or by Domain Group.

To view SSO sessions not associated with any configured domain grouping, select Default.

Logon Time When the session was started.
Update Time When the session was last updated.
Workstation The workstation that the user is using.
IP address The IP address of the workstation.
Domain Grouping The domain group to which the domain belongs.
Domain The domain to which the user belongs.
Username The username of the user.
Source The source of the connection.
Group The group to which the user belongs.

Windows event log sources

Windows event log sources can be viewed by going to Monitor > SSO > Windows Event Log Sources.

The sources list can be refreshed by selecting Refresh, and searched using the search field.

The list shows the total number of events, as well as the most recent event.

FortiGates

FortiGate units that are registered with FortiAuthenticator can be viewed at Monitor > SSO > FortiGates.

The list can be refreshed by selecting Refresh and searched using the search field. The list shows the connection time of each device, as well as its IP address and serial number.

User authentication events are logged in the FortiGate event log. See the FortiGate Handbook for more information.

DC/TS agents

Domain controller (DC) agents and terminal server (TS) agents that are registered with FortiAuthenticator can be viewed at Monitor > SSO > DC/TS Agents.

The list can be refreshed by selecting Refresh and searched using the search field.

The list shows the server name of each agent, as well as its IP address, its agent type, last connection time, connection status, and the number of logged-on users.

NTLM statistics

Dumped NTLM statistics can be viewed at Monitor > SSO > NTLM Statistics.

The statistics can be refreshed and cleared by selecting Refresh and Clear respectively.

SSO

FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensure there is a connection to the different components when troubleshooting.

Domains

To monitor SSO domains, go to Monitor > SSO > Domains. Select Refresh to refresh the domain list. Select Expand All to expand all of the listed domains, or Collapse All to collapse the view.

All configured domain controllers appear in the domain list. Each domain controller is displayed in:

  • green if the last connection attempt was successful.
  • gray if no recent connection information is available.
  • red if the last connection attempt failed.

Hold the pointer over a domain controller to view the status of the last LDAP query, how long ago it was, and the LDAP query's response time in milliseconds (ms). This response time will show a warning icon if the highest recent response time is above 500 ms.

In addition, you can click on the domain controller entry to view statistics for the 100-most recent LDAP queries. The listed response times are color coordinated as follows: green for less than 500 ms, orange for between 500 and 1000 ms, and red for more than, or equal to, 1000 ms.

SSO sessions

To monitor SSO sessions, go to Monitor > SSO > SSO Sessions. Users can be manually logged off of if required.

The following information is available:

Refresh Refresh the SSO sessions list.
Logoff All Log off all of the connected users.
Logoff Selected Log off only the selected users.
Search Enter a search term in the search field, then select Search to search the SSO sessions list.
Filter

Filter the SSO session list by the source of the connection and/or by Domain Group.

To view SSO sessions not associated with any configured domain grouping, select Default.

Logon Time When the session was started.
Update Time When the session was last updated.
Workstation The workstation that the user is using.
IP address The IP address of the workstation.
Domain Grouping The domain group to which the domain belongs.
Domain The domain to which the user belongs.
Username The username of the user.
Source The source of the connection.
Group The group to which the user belongs.

Windows event log sources

Windows event log sources can be viewed by going to Monitor > SSO > Windows Event Log Sources.

The sources list can be refreshed by selecting Refresh, and searched using the search field.

The list shows the total number of events, as well as the most recent event.

FortiGates

FortiGate units that are registered with FortiAuthenticator can be viewed at Monitor > SSO > FortiGates.

The list can be refreshed by selecting Refresh and searched using the search field. The list shows the connection time of each device, as well as its IP address and serial number.

User authentication events are logged in the FortiGate event log. See the FortiGate Handbook for more information.

DC/TS agents

Domain controller (DC) agents and terminal server (TS) agents that are registered with FortiAuthenticator can be viewed at Monitor > SSO > DC/TS Agents.

The list can be refreshed by selecting Refresh and searched using the search field.

The list shows the server name of each agent, as well as its IP address, its agent type, last connection time, connection status, and the number of logged-on users.

NTLM statistics

Dumped NTLM statistics can be viewed at Monitor > SSO > NTLM Statistics.

The statistics can be refreshed and cleared by selecting Refresh and Clear respectively.