Agentless NTLM authentication for web proxy
Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:
- Multiple servers
- Individual users
You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.
To support multiple domain controllers for agentless NTLM using the CLI:
-
Configure an LDAP server:
config user ldap edit "ldap-kerberos" set server "172.18.62.177" set cnid "cn" set dn "dc=fortinetqa,dc=local" set type regular set username "CN=root,CN=Users,DC=fortinetqa,DC=local" set password ********* next end -
Configure multiple domain controllers:
config user domain-controller edit "dc1" set ip-address 172.18.62.177 config extra-server edit 1 set ip-address 172.18.62.220 next end set ldap-server "ldap-kerberos" next end -
Create an authentication scheme and rule:
config authentication scheme edit "au-ntlm" set method ntlm set domain-controller "dc1" next endconfig authentication rule edit "ru-ntlm" set srcaddr "all" set ip-based disable set active-auth-method "au-ntlm" next end -
In the proxy policy, append the user group for authorization:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set groups "ldap-group" set utm-status enable set av-profile "av" set ssl-ssh-profile "deep-custom" next endThis configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.
-
Verify the behavior after the user successfully logs in:
# diagnose wad user list ID: 1825, IP: 10.1.100.71, VDOM: vdom1 user name : test1 duration : 497 auth_type : Session auth_method : NTLM pol_id : 1 g_id : 5 user_based : 0 e xpire : 103 LAN: bytes_in=2167 bytes_out=7657 WAN: bytes_in=3718 bytes_out=270
To support individual users for agentless NTLM using the CLI:
-
Configure an LDAP server:
config user ldap edit "ldap-kerberos" set server "172.18.62.177" set cnid "cn" set dn "dc=fortinetqa,dc=local" set type regular set username "CN=root,CN=Users,DC=fortinetqa,DC=local" set password ********* next end -
Configure the user group and allow user-based matching:
config user group edit "ldap-group" set member "ldap" "ldap-kerberos" config match edit 1 set server-name "ldap-kerberos" set group-name "test1" next end next end -
Create an authentication scheme and rule:
config authentication scheme edit "au-ntlm" set method ntlm set domain-controller "dc1" next endconfig authentication rule edit "ru-ntlm" set srcaddr "all" set ip-based disable set active-auth-method "au-ntlm" next end -
In the proxy policy, append the user group for authorization:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set groups "ldap-group" set utm-status enable set av-profile "av" set ssl-ssh-profile "deep-custom" next endThis implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named
test1.To verify the configuration using the CLI:
diagnose wad user list ID: 1827, IP: 10.1.15.25, VDOM: vdom1 user name : test1 duration : 161 auth_type : Session auth_method : NTLM pol_id : 1 g_id : 5 user_based : 0 expire : 439 LAN: bytes_in=1309 bytes_out=4410 WAN: bytes_in=2145 bytes_out=544