Agent-based FSSO for Windows AD (advanced mode)


In this recipe, you use agent-based Fortinet single sign-on (FSSO) to allow users to login to the network once with their Windows AD credentials and seamlessly access all appropriate network resources.

This example uses the FSSO agent in advanced mode. The main difference between advanced and standard mode is the naming convention used when referring to username information. Standard mode uses Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.

Advanced mode is required for multi-domains environments.

1. Installing the FSSO agent on the Windows AD server

Connect to the Windows AD server and download the FSSO agent from Fortinet Support.

To install the agent, open the installer file and use the installation wizard.

Set a User Name and Password for the FSSO domain administrator.


For the Install Options, select Advanced to use advanced mode instead of standard.

After installing the FSSO agent, run Install DC Agent.

Set the Collector Agent IP address and the Collector Agent listening port.

Select the domain you wish to monitor.
Exclude any users that you don’t want to monitor, including the administrator.
Set Working Mode to DC Agent Mode

Restart your server to apply all changes.

2. Configuring the FSSO agent

To configure the settings for your network, open the FSSO agent. You can use the default for most settings.


Select Set Directory Access Information. Set AD access mode to Advanced.

3. Setting up your FortiGate for FSSO

Because you have installed FSSSO in advanced mode, you need to configure LDAP to use with FSSO.

To configure the LDAP service, go to User & Device > LDAP Servers and select Create New.

Enter all information about your LDAP server. Select Test Connectivity. If your information is correct, Connection status is Successful.

Create a Fabric Connector to the FSSO agent by going to Security Fabric > Fabric Connectors and select + Create New.

Under SSO/Identity, select Fortinet Single Sign-On Agent.

Set the Name and enter the IP address and password for the Primary FSSO Agent.

Set Collector Agent AD access mode to Advanced and set LDAP Server to the new LDAP service.

Your FortiGate displays information retrieved from the AD server. Select Groups, then right-click the FSSO group and select + Add Selected.

Select Selected. The FSSO group is shown.

To create a user group for FSSO users, go to User & Device > User Groups and select Create New.

Enter a group Name and set Type to Fortinet Single Sign-On (FSSO). Add the FSSO users to Members.

To create a policy for FSSO users, go to Policy & Objects > IPv4 Policy and select Create New.

For Source, set User to the FSSO user group.

4. Results

Log into a computer on the domain and access the Internet. The FortiGate uses FSSO for authentication and doesn’t require your credentials to be entered again.

On the FortiGate, go to Monitor > Firewall User Monitor and select Show all FSSO Logons.

For further reading, check out Agent-based FSSO in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)