Active to passive auth - Just a bit of difference . With Active auth , you are authenticating against the DC eveytime access is required , With FSSO you have passive authentication . DC validates the user and matches the group created on the firewall . Users no longer have to authenticate twice , once they log on the PC , DC sends a query back to Fortigate using ports 8000 and 8002 (can be changed ) along with DNS name of the user machine , group info etc . FSSO user sessions are active as long as the user is active on PC , Firewall auth sessions are limited and will expire triggering re-auth .