Fortinet black logo

Cookbook

NTLM extensions

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:554836
Download PDF

NTLM extensions

In FortiOS, agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

  • Multiple servers
  • Individual users

You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password **********

    next

    end

  2. Configure multiple domain controllers:

    config user domain-controller

    edit "dc1"

    set ip-address 172.18.62.177

    config extra-server

    edit 1

    set ip-address 172.18.62.220

    next

    end

    set ldap-server "ldap-kerberos"

    next

    end

  3. Create an authentication scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.

  5. Verify the behavior after the user successfully logs in:

    # diagnose wad user list

    ID: 1825, IP: 10.1.100.71, VDOM: vdom1

    user name : test1

    duration : 497

    auth_type : Session

    auth_method : NTLM

    pol_id : 1 g_id : 5

    user_based : 0 e

    xpire : 103

    LAN:

    bytes_in=2167 bytes_out=7657

    WAN:

    bytes_in=3718 bytes_out=270

To support individual users for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password **********

    next

    end

  2. Configure the user group and allow user-based matching:

    config user group

    edit "ldap-group"

    set member "ldap" "ldap-kerberos"

    config match

    edit 1

    set server-name "ldap-kerberos"

    set group-name "test1"

    next

    end

    next

    end

  3. Create an authentication scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named test1.

    To verify the configuration using the CLI:

    diagnose wad user list

    ID: 1827, IP: 10.1.15.25, VDOM: vdom1

    user name : test1

    duration : 161

    auth_type : Session

    auth_method : NTLM

    pol_id : 1

    g_id : 5

    user_based : 0

    expire : 439

    LAN:

    bytes_in=1309 bytes_out=4410

    WAN:

    bytes_in=2145 bytes_out=544

NTLM extensions

In FortiOS, agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

  • Multiple servers
  • Individual users

You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password **********

    next

    end

  2. Configure multiple domain controllers:

    config user domain-controller

    edit "dc1"

    set ip-address 172.18.62.177

    config extra-server

    edit 1

    set ip-address 172.18.62.220

    next

    end

    set ldap-server "ldap-kerberos"

    next

    end

  3. Create an authentication scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.

  5. Verify the behavior after the user successfully logs in:

    # diagnose wad user list

    ID: 1825, IP: 10.1.100.71, VDOM: vdom1

    user name : test1

    duration : 497

    auth_type : Session

    auth_method : NTLM

    pol_id : 1 g_id : 5

    user_based : 0 e

    xpire : 103

    LAN:

    bytes_in=2167 bytes_out=7657

    WAN:

    bytes_in=3718 bytes_out=270

To support individual users for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap

    edit "ldap-kerberos"

    set server "172.18.62.177"

    set cnid "cn"

    set dn "dc=fortinetqa,dc=local"

    set type regular

    set username "CN=root,CN=Users,DC=fortinetqa,DC=local"

    set password **********

    next

    end

  2. Configure the user group and allow user-based matching:

    config user group

    edit "ldap-group"

    set member "ldap" "ldap-kerberos"

    config match

    edit 1

    set server-name "ldap-kerberos"

    set group-name "test1"

    next

    end

    next

    end

  3. Create an authentication scheme and rule:

    config authentication scheme

    edit "au-ntlm"

    set method ntlm

    set domain-controller "dc1"

    next

    end

    config authentication rule

    edit "ru-ntlm"

    set srcaddr "all"

    set ip-based disable

    set active-auth-method "au-ntlm"

    next

    end

  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy

    edit 1

    set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30

    set proxy explicit-web

    set dstintf "port1"

    set srcaddr "all"

    set dstaddr "all"

    set service "web"

    set action accept

    set schedule "always"

    set groups "ldap-group"

    set utm-status enable

    set av-profile "av"

    set ssl-ssh-profile "deep-custom"

    next

    end

    This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named test1.

    To verify the configuration using the CLI:

    diagnose wad user list

    ID: 1827, IP: 10.1.15.25, VDOM: vdom1

    user name : test1

    duration : 161

    auth_type : Session

    auth_method : NTLM

    pol_id : 1

    g_id : 5

    user_based : 0

    expire : 439

    LAN:

    bytes_in=1309 bytes_out=4410

    WAN:

    bytes_in=2145 bytes_out=544