Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

NTLM Extensions

FortiOS 6.2 extends agentless Windows NT LAN Manager (NTLM) authentication to include support for the following items:

  • Multiple servers
  • Individual users

Previously only one server and only group matching were supported.

You can now use multiple domain controller servers for the agentless NTLM for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. For Kerberos and agentless NTLM, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password ENC PD0++FaJxGwPta/dE4GFboqOJpk4WNHk12JAMBQrn6s3hkMWlhN+Hg36ULQOMl9/OvbJ7lJFgPnpFv8Z4QnZeBtzIcqenr2jmcYPTsbegmSjEPyO6/vl4rX5ZRfF2l3adKcCf56575TkRpIdlYELBpc44eNfoxA2KWqmANKkzOnv2w12eDEXanXkHaDgs8WBBnvZnQ==

    next

    end

  2. Configure multiple Domain Controllers:

    config user domain-controller

    edit "dc1"

    set ip-address 172.18.62.177

    config extra-server

    edit 1

    set ip-address 172.18.62.220

    next

    end

    set ldap-server "ldap-kerberos"

    next

    end

  3. Create an authenticate scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This configuration uses a round-robin method. When the first user logs in, FortiGate sends the authentication request to the first domain controller. Later when another user logs in, FortiGate sends the authentication request to another domain controller. After the user successfully logs in, you can verify the behavior by using the following CLI: 

    FGT_A (vdom1) # diagnose wad user list

    ID: 1825, IP: 10.1.100.71, VDOM: vdom1

    user name : test1

    duration : 497

    auth_type : Session

    auth_method : NTLM

    pol_id : 1 g_id : 5

    user_based : 0 e

    xpire : 103

    LAN:

    bytes_in=2167 bytes_out=7657

    WAN:

    bytes_in=3718 bytes_out=270

To support individual users for agentless NTLM:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password ENC PD0++FaJxGwPta/dE4GFboqOJpk4WNHk12JAMBQrn6s3hkMWlhN+Hg36ULQOMl9/OvbJ7lJFgPnpFv8Z4QnZeBtzIcqenr2jmcYPTsbegmSjEPyO6/vl4rX5ZRfF2l3adKcCf56575TkRpIdlYELBpc44eNfoxA2KWqmANKkzOnv2w12eDEXanXkHaDgs8WBBnvZnQ==

    next

    end

  2. Configure user group and allow user based matching in the group:

    config user group

    edit "ldap-group"

    set member "ldap" "ldap-kerberos"

    config match

    edit 1

    set server-name "ldap-kerberos"

    set group-name "test1"

    next

    end

    next

    end

  3. Create an authentication scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This implementation lets you configure a single user instead of a whole group, and FortiGate will allow user named test1. You can verify the configuration by using the CLI:

    diagnose wad user list

    ID: 1827, IP: 10.1.15.25, VDOM: vdom1

    user name : test1

    duration : 161

    auth_type : Session

    auth_method : NTLM

    pol_id : 1

    g_id : 5

    user_based : 0

    expire : 439

    LAN:

    bytes_in=1309 bytes_out=4410

    WAN:

    bytes_in=2145 bytes_out=544

NTLM Extensions

FortiOS 6.2 extends agentless Windows NT LAN Manager (NTLM) authentication to include support for the following items:

  • Multiple servers
  • Individual users

Previously only one server and only group matching were supported.

You can now use multiple domain controller servers for the agentless NTLM for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. For Kerberos and agentless NTLM, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password ENC PD0++FaJxGwPta/dE4GFboqOJpk4WNHk12JAMBQrn6s3hkMWlhN+Hg36ULQOMl9/OvbJ7lJFgPnpFv8Z4QnZeBtzIcqenr2jmcYPTsbegmSjEPyO6/vl4rX5ZRfF2l3adKcCf56575TkRpIdlYELBpc44eNfoxA2KWqmANKkzOnv2w12eDEXanXkHaDgs8WBBnvZnQ==

    next

    end

  2. Configure multiple Domain Controllers:

    config user domain-controller

    edit "dc1"

    set ip-address 172.18.62.177

    config extra-server

    edit 1

    set ip-address 172.18.62.220

    next

    end

    set ldap-server "ldap-kerberos"

    next

    end

  3. Create an authenticate scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This configuration uses a round-robin method. When the first user logs in, FortiGate sends the authentication request to the first domain controller. Later when another user logs in, FortiGate sends the authentication request to another domain controller. After the user successfully logs in, you can verify the behavior by using the following CLI: 

    FGT_A (vdom1) # diagnose wad user list

    ID: 1825, IP: 10.1.100.71, VDOM: vdom1

    user name : test1

    duration : 497

    auth_type : Session

    auth_method : NTLM

    pol_id : 1 g_id : 5

    user_based : 0 e

    xpire : 103

    LAN:

    bytes_in=2167 bytes_out=7657

    WAN:

    bytes_in=3718 bytes_out=270

To support individual users for agentless NTLM:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password ENC PD0++FaJxGwPta/dE4GFboqOJpk4WNHk12JAMBQrn6s3hkMWlhN+Hg36ULQOMl9/OvbJ7lJFgPnpFv8Z4QnZeBtzIcqenr2jmcYPTsbegmSjEPyO6/vl4rX5ZRfF2l3adKcCf56575TkRpIdlYELBpc44eNfoxA2KWqmANKkzOnv2w12eDEXanXkHaDgs8WBBnvZnQ==

    next

    end

  2. Configure user group and allow user based matching in the group:

    config user group

    edit "ldap-group"

    set member "ldap" "ldap-kerberos"

    config match

    edit 1

    set server-name "ldap-kerberos"

    set group-name "test1"

    next

    end

    next

    end

  3. Create an authentication scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This implementation lets you configure a single user instead of a whole group, and FortiGate will allow user named test1. You can verify the configuration by using the CLI:

    diagnose wad user list

    ID: 1827, IP: 10.1.15.25, VDOM: vdom1

    user name : test1

    duration : 161

    auth_type : Session

    auth_method : NTLM

    pol_id : 1

    g_id : 5

    user_based : 0

    expire : 439

    LAN:

    bytes_in=1309 bytes_out=4410

    WAN:

    bytes_in=2145 bytes_out=544