Agentless NTLM authentication for web proxy
Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:
- Multiple servers
- Individual users
You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.
To support multiple domain controllers for agentless NTLM using the CLI:
-
Configure an LDAP server:
config user ldap edit "ldap-kerberos" set server "172.18.62.177" set cnid "cn" set dn "dc=fortinetqa,dc=local" set type regular set username "CN=root,CN=Users,DC=fortinetqa,DC=local" set password ********* next end
-
Configure multiple domain controllers:
config user domain-controller edit "dc1" set ip-address 172.18.62.177 config extra-server edit 1 set ip-address 172.18.62.220 next end set ldap-server "ldap-kerberos" next end
-
Create an authentication scheme and rule:
config authentication scheme edit "au-ntlm" set method ntlm set domain-controller "dc1" next end
config authentication rule edit "ru-ntlm" set srcaddr "all" set ip-based disable set active-auth-method "au-ntlm" next end
-
In the proxy policy, append the user group for authorization:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set groups "ldap-group" set utm-status enable set av-profile "av" set ssl-ssh-profile "deep-custom" next end
This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controll