Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:
- Multiple servers
- Individual users
You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.
Configure an LDAP server:
config user ldap edit "ldap-kerberos" set server "172.18.62.177" set cnid "cn" set dn "dc=fortinetqa,dc=local" set type regular set username "CN=root,CN=Users,DC=fortinetqa,DC=local" set password ********* next end
Configure multiple domain controllers:
config user domain-controller edit "dc1" set ip-address 172.18.62.177 config extra-server edit 1 set ip-address 172.18.62.220 next end set ldap-server "ldap-kerberos" next end
Create an authentication scheme and rule:
config authentication scheme edit "au-ntlm" set method ntlm set domain-controller "dc1" next end
config authentication rule edit "ru-ntlm" set srcaddr "all" set ip-based disable set active-auth-method "au-ntlm" next end
In the proxy policy, append the user group for authorization:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set groups "ldap-group" set utm-status enable set av-profile "av" set ssl-ssh-profile "deep-custom" next end
This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controll