1

Our Problem: We are using FortiGate in our company with ~2200 Clients. Most of them are using Notebooks. Some people can't connect to the Internet, when they come to the office after days working in home office. Our Fortigate is configured to watch the LogonEvents (EDIT:To be more specific: the attribute "lastlogon") of the Userobject on the Domaincontroller (we have 5) and authenticate the user with the IP of the device. This fails sometimes. Our network-guys are looking at this problem, but in the meantime i have to find solutions on the client-side

One workaround I found is to trigger a User LogonEvent via powershell on the client.

New-PsSession -ComputerName $Env:ComputerName -ErrorAction ignore

But most of the times it creates the User LogonEvent on one specific Domain Controller (mostly the default Logonserver), which is maybe faulty. It's the same when you lock your device and log back in.

Does somebody know another way to create a LogonEvent via Powershell or Batch, where I can select the authenticating Domain Controller? Like, iterating through all our Domain Controllers to create such event on the client. Edit: Unfortunately, the command has to run with User Permissions.

Edit: Maybe it helps if I tell you my overall goal:

  • Every client gets a scheduled task via GPO which runs in User-Context
  • It gets triggerd by event 10000 from source Microsoft-Windows-NetworkProfile (network change)
  • A powershell script checks if the internet connection is working
  • If not, the script would try to trigger a LogonEvent on different Domain Controllers to be sure, the Fortigate Agent gets at least one of them.
OneBavarian
  • 31
  • 4
  • 1
    The FortiGate FW is likely looking for logon sessions _on the workstation_ rather than attempts to log on to the DC itself. `runas /user:domain\svc_account cmd.exe /c rem` might be enough. To ensure a specific DC is attempted first, use `nltest`: `nltest.exe /sc_reset:DomainName\TargetDC` <-- this should set `TargetDC` as the primary logon server on the local machine – Mathias R. Jessen Jan 26 '22 at 12:15
  • Every DC has software by fortigate installed. A different server collects the logonevents (I think from the Security Log) from all DCs and use this infromation. The command nltest.exe /sc_reset unfortunately needs admin right. I have to make this Logonevent as the user whom has not these right. – OneBavarian Jan 26 '22 at 13:30
  • Give `[adsi]::new("LDAP://domainController.fqdn/", "svc_username", "p@ssW0rd")` a try – Mathias R. Jessen Jan 26 '22 at 13:33
  • Unfortunately not, this command doesn't create a LoginEvent – OneBavarian Jan 26 '22 at 13:40

1 Answers1

0

Mathias has the right idea, but just creating a DirectoryEntry object (which is what [ADSI] is a type accelerator for) doesn't make a network request until you actually use it.

This will tell it to retrieve the name attribute of the root of the domain (any attribute would do - you just need it to get something):

[ADSI]::new("LDAP://domainController.fqdn", "svc_username", "p@ssW0rd").RefreshCache("name")
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Sorry, this command doesn't work either. I tried different attributes, the method ".Propierties", etc. This doesn't trigger a logonevent. – OneBavarian Jan 27 '22 at 07:28