Agentless NTLM authentication for web proxy

Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

  • Multiple servers
  • Individual users

You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.177"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure multiple domain controllers:

    config user domain-controller
        edit "dc1"
            set ip-address 172.18.62.177 
            config extra-server
                edit 1
                    set ip-address 172.18.62.220 
                next 
            end
            set ldap-server "ldap-kerberos" 
        next 
    end
  3. Create an authentication scheme and rule:

    config authentication scheme 
        edit "au-ntlm"
            set method ntlm
            set domain-controller "dc1"
        next 
    end
    config authentication rule 
        edit "ru-ntlm"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "au-ntlm"
        next 
    end
  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy     
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all" 
            set dstaddr "all" 
            set service "web" 
            set action accept 
            set schedule "always" 
            set groups "ldap-group"
            set utm-status enable 
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
        next
    end

    This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controll