Fortinet black logo

New Features

Syntax update for Microsoft compatibility  6.2.1

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:326509
Download PDF

Syntax update for Microsoft compatibility 6.2.1

FortiGates deployed in an explicit proxy environment supports the syntax \domain\user to support Microsoft backward compatibility authentication. In this version, both the syntax user@domain and \domain\user are supported.

To configure LDAP user and groups:
show user ldap ldap-kerberos
config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.177"
        set cnid "cn"
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password ENC
MTAwNFfjyN9z/vpN/OIOIx+nH3XWOCEu37dfjDACEUuX/iHiKWLtg48dv8zfY5irbcl6/2j9Ti5+zuDQYLc2f/BSUAfjALZqbL4Z/CwvSg+kgExmG7RUfFoIoL+Ir11TKue2IissXuQKzjTuB5Hu8CtM9wrmqJwsVsTrksT8yFZz71JV6/M3SbezFof2yNNy2nBxGw== next end
config user group
    edit "ldap-group"
        set member "ldap-kerberos"
    next
end
To configure authentication rule and scheme:
config authentication scheme
    edit "au-basic"
        set method basic
        set user-database "ldap-kerberos"
    next
end
config authentication rule
    edit "all"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "au-basic"
    next
To configure a group in web proxy policy:
config firewall proxy-policy
    edit 1
        set uuid 32a4ef88-7e7e-51e9-ccd3-9e979b2f25d1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "ldap-group"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
        set replacemsg-override-group "auth-proxy-policy-1558741043926"
        set comments "Clone of 1"
    next
end

When you send traffic, the browser prompts for authentication by username and domain.

To verify that the user is logged in:
diagnose wad user list
ID: 1, IP: 10.1.100.13, VDOM: vdom1
  user name   : test1
  duration    : 135
  auth_type   : Session
  auth_method : Basic
  pol_id      : 6
  g_id        : 5
  user_based  : 0
  expire      : 575
  LAN:
    bytes_in=2070 bytes_out=6496
  WAN:

Syntax update for Microsoft compatibility 6.2.1

FortiGates deployed in an explicit proxy environment supports the syntax \domain\user to support Microsoft backward compatibility authentication. In this version, both the syntax user@domain and \domain\user are supported.

To configure LDAP user and groups:
show user ldap ldap-kerberos
config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.177"
        set cnid "cn"
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password ENC
MTAwNFfjyN9z/vpN/OIOIx+nH3XWOCEu37dfjDACEUuX/iHiKWLtg48dv8zfY5irbcl6/2j9Ti5+zuDQYLc2f/BSUAfjALZqbL4Z/CwvSg+kgExmG7RUfFoIoL+Ir11TKue2IissXuQKzjTuB5Hu8CtM9wrmqJwsVsTrksT8yFZz71JV6/M3SbezFof2yNNy2nBxGw== next end
config user group
    edit "ldap-group"
        set member "ldap-kerberos"
    next
end
To configure authentication rule and scheme:
config authentication scheme
    edit "au-basic"
        set method basic
        set user-database "ldap-kerberos"
    next
end
config authentication rule
    edit "all"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "au-basic"
    next
To configure a group in web proxy policy:
config firewall proxy-policy
    edit 1
        set uuid 32a4ef88-7e7e-51e9-ccd3-9e979b2f25d1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "ldap-group"
        set utm-status enable
        set ssl-ssh-profile "deep-custom"
        set av-profile "av"
        set replacemsg-override-group "auth-proxy-policy-1558741043926"
        set comments "Clone of 1"
    next
end

When you send traffic, the browser prompts for authentication by username and domain.

To verify that the user is logged in:
diagnose wad user list
ID: 1, IP: 10.1.100.13, VDOM: vdom1
  user name   : test1
  duration    : 135
  auth_type   : Session
  auth_method : Basic
  pol_id      : 6
  g_id        : 5
  user_based  : 0
  expire      : 575
  LAN:
    bytes_in=2070 bytes_out=6496
  WAN: