Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Obtain full user information through the MS Exchange connector

    Obtain full user information through the MS Exchange connector

    FortiGate can collect additional information about authenticated users from corporate MS Exchange servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

    The Exchange connector must be mapped to the LDAP server that is used for authentication.

    The following attributes are retrieved:

    USER_INFO_FULL_NAME

    		 USER_INFO_COMPANY

    USER_INFO_CITY

    USER_INFO_FIRST_NAME

    USER_INFO_DEPARTMENT

    USER_INFO_STATE

    USER_INFO_LAST_NAME

    USER_INFO_GROUP

    USER_INFO_POSTAL_CODE

    USER_INFO_LOGON_NAME

    USER_INFO_TITLE

    USER_INFO_COUNTRY

    USER_INFO_TELEPHONE

    USER_INFO_MANAGER

    USER_INFO_ACCOUNT_EXPIRES

    USER_INFO_EMAIL

    USER_INFO_STREET

    USER_INFO_USER_PHOTO

    USER_INFO_POST_OFFICE_BOX

    This example shows the configuration and verification in the CLI.

    To configure and use an Exchange connector:
    1. Configure the Exchange user:
      config user exchange
    edit "exchange140"
        set server-name "W2K8-SERV1"                 
        set domain-name "FORTINET-FSSO.COM"
        set username "Administrator"
        set password **********
        set ip 10.1.100.140
        set kdc-ip "10.1.100.131"
    next
end

      Where:

      server-name

      The hostname of the Exchange server.

      domain-name

      The domain name of active directory.

      username

      The username that FortiGate uses to connect to the Exchange server.

      password

      The password that FortiGate uses to connect to the Exchange server.

      ip

      The IP address of the Exchange server.

      kdc-ip

      The IP address of the Global Catalog server.

      For details about other commands, so the FortiOS CLI Reference.

    2. Set the exchange server in the LDAP user:
      config user ldap
    edit "AD-ldap"
        set server "10.1.100.131"
        set server-identity-check disable
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
        set secure ldaps
        set port 636
        set password-renewal enable
        set user-info-exchange-server "exchange140"
    next
end
    To check the collected information after the user has been authenticated:
    1. In the GUI, go to Monitor > Firewall User Monitor and hover over the user name.

    2. In the CLI, run the following command:
      # diagnose wad user info 20 test1
'username' = 'test1'
'sourceip' = '10.1.100.185'
'vdom' = 'root'
'cn' = 'test1'
'givenName' = 'test1'
'sn' = 'test101'
'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
'telephoneNumber' = '604-123456'
'mail' = 'test1@fortinet-fsso.com'
'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
'company' = 'Fortinet'
'department' = 'Release QA'
'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'streetAddress' = 'One Backend Street 1901'
'l' = 'Burnaby'
'st' = 'BC'
'postalCode' = '4711'
'co' = 'Canada'
'accountExpires' = '9223372036854

      If the results are not as expected, use the following commands to verify what information FortiGate can collect from the Exchange server:

      diagnose test application wad 2500
diagnose test application wad 162

      You can also enable debugging during user authentication:

      diagnose wad debug enable level verbose
    Previous
    Next

    Obtain full user information through the MS Exchange connector

    Obtain full user information through the MS Exchange connector

    FortiGate can collect additional information about authenticated users from corporate MS Exchange servers. After a user logs in, the additional information can be viewed in various parts of the GUI.

    The Exchange connector must be mapped to the LDAP server that is used for authentication.

    The following attributes are retrieved:

    USER_INFO_FULL_NAME

    		 USER_INFO_COMPANY

    USER_INFO_CITY

    USER_INFO_FIRST_NAME

    USER_INFO_DEPARTMENT

    USER_INFO_STATE

    USER_INFO_LAST_NAME

    USER_INFO_GROUP

    USER_INFO_POSTAL_CODE

    USER_INFO_LOGON_NAME

    USER_INFO_TITLE

    USER_INFO_COUNTRY

    USER_INFO_TELEPHONE

    USER_INFO_MANAGER

    USER_INFO_ACCOUNT_EXPIRES

    USER_INFO_EMAIL

    USER_INFO_STREET

    USER_INFO_USER_PHOTO

    USER_INFO_POST_OFFICE_BOX

    This example shows the configuration and verification in the CLI.

    To configure and use an Exchange connector:
    1. Configure the Exchange user:
      config user exchange
    edit "exchange140"
        set server-name "W2K8-SERV1"                 
        set domain-name "FORTINET-FSSO.COM"
        set username "Administrator"
        set password **********
        set ip 10.1.100.140
        set kdc-ip "10.1.100.131"
    next
end

      Where:

      server-name

      The hostname of the Exchange server.

      domain-name

      The domain name of active directory.

      username

      The username that FortiGate uses to connect to the Exchange server.

      password

      The password that FortiGate uses to connect to the Exchange server.

      ip

      The IP address of the Exchange server.

      kdc-ip

      The IP address of the Global Catalog server.

      For details about other commands, so the FortiOS CLI Reference.

    2. Set the exchange server in the LDAP user:
      config user ldap
    edit "AD-ldap"
        set server "10.1.100.131"
        set server-identity-check disable
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********
        set secure ldaps
        set port 636
        set password-renewal enable
        set user-info-exchange-server "exchange140"
    next
end
    To check the collected information after the user has been authenticated:
    1. In the GUI, go to Monitor > Firewall User Monitor and hover over the user name.

    2. In the CLI, run the following command:
      # diagnose wad user info 20 test1
'username' = 'test1'
'sourceip' = '10.1.100.185'
'vdom' = 'root'
'cn' = 'test1'
'givenName' = 'test1'
'sn' = 'test101'
'userPrincipalName' = 'test1@Fortinet-FSSO.COM'
'telephoneNumber' = '604-123456'
'mail' = 'test1@fortinet-fsso.com'
'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa'
'company' = 'Fortinet'
'department' = 'Release QA'
'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM'
'streetAddress' = 'One Backend Street 1901'
'l' = 'Burnaby'
'st' = 'BC'
'postalCode' = '4711'
'co' = 'Canada'
'accountExpires' = '9223372036854

      If the results are not as expected, use the following commands to verify what information FortiGate can collect from the Exchange server:

      diagnose test application wad 2500
diagnose test application wad 162

      You can also enable debugging during user authentication:

      diagnose wad debug enable level verbose
    Previous
    Next