Configure FortiDeceptor for admin access authentication from Active Directory
To configure FortiDeceptor to authenticate from the Active Directory (AD) server, prepare and import a signed server certificate into FortiAuthenticator. Next you will configure the LDAP service and add the local user to the LDAP directory tree in FortiAuthenticator. Then you will import the server certificate and configure the LDAP server in FortiDeceptor.
FortiDeceptor admin access authentication from FortiAuthenticator
To configure FortiDeceptor admin access authentication front FortiAuthenticator using LDAP:
- Prepare the certificate.
- Import the signed server certificate to FortiAuthenticator.
- Import the RootCA to FortiAuthenticator.
- Configure the FortiAuthenticator LDAP Service.
- Add the local user the LDAP Directory Tree.
- Import the RootCA into FortiDeceptor.
- Configure the LDAP server in FortiDeceptor.
1. Prepare the certificate
If you are not using LDAP, you can proceed directly to Step 5: Create LDAP Directory Tree.
To prepare the certificate:
- Create a Certificate Signing Request (CSR) and private key.
- Sign the CSR with either a public Certifcate Authority (CA) or your own RootCA. For the purpose of this example, we will be using a self-created RootCA.
2. Import the signed server certificate to FortiAuthenticator
- Log in to FortiAuthenticator.
- Go to Certificate Management > End Entities > Local Services and click Import.
- Select Choose File to locate the certificate file on your computer.
- Select OK to import the certificate.
For more information, see Certificate Management > End Entities in the FortiAuthenticator Administration Guide.
3. Import the RootCA to FortiAuthenticator
- Go to Certificate Management > Certificate Authorities > Local CAs.
- Click Create New and configure the certificate settings.
- Click OK to create the new certificate.
For more information, see Certificate Management > Certifcate Authorities > Local CAs in the FortiAuthenticator Administration Guide.
4. Configure the FortiAuthenticator LDAP Service
- In FortiAuthenticator, go to Authentication > LDAP Service > General.
- From the LDAP server certificate dropdown, select the server certificate you imported.
- From the CA certificate that issued the server certificate dropdown, select RootCA and click OK.
5. Add the local user the LDAP Directory Tree
- In FortiAuthenticator, from the LDAP directory tree, select the green plus (+) symbol next to the DN entry where you want to add the node. The Create New LDAP Entry window opens.
- In the Class field, select the identifier to use.
- Select the required value from the dropdown menu, or select Create New to create a new entry of the selected class.
- Click OK.
For more information, see Creating the directory tree in the in the FortiAuthenticator Administration Guide.
6. Import the RootCA into FortiDeceptor
If you are not using LDAP, proceed to Step 7. Configure the LDAP server in FortiDeceptor.
- In FortiDeceptor, go to System > Certificates and click Import.
- In the Certifcate field, click Browse and upload a copy of the RootCA certificate you imported to FortiAuthenticator in Step 3 Import the RootCA to FortiAuthenticator.
- Configure the rest of the certificate settings and click OK.
For more information, see Certificates.
7. Configure the LDAP server in FortiDeceptor
- In FortiDeceptor, go to System > LDAP servers and click Create New. The New LDAP Server page opens.
- Configure the LDAP settings keeping the following considerations in mind:
Common Name The Common Name must match the node you created in the LDAP tree. Enable Secure Connection When enabled, you must select the RootCA you imported from the CA Certificate dropdown. - Click OK.