Fortinet black logo

Administration Guide

Agentless NTLM authentication for web proxy

Agentless NTLM authentication for web proxy

Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

  • Multiple servers
  • Individual users

You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.177"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure multiple domain controllers:

    config user domain-controller
        edit "dc1"
            set ip-address 172.18.62.177 
            config extra-server
                edit 1
                    set ip-address 172.18.62.220 
                next 
            end
            set ldap-server "ldap-kerberos" 
        next 
    end
  3. Create an authentication scheme and rule:

    config authentication scheme 
        edit "au-ntlm"
            set method ntlm
            set domain-controller "dc1"
        next 
    end
    config authentication rule 
        edit "ru-ntlm"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "au-ntlm"
        next 
    end
  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy     
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all" 
            set dstaddr "all" 
            set service "web" 
            set action accept 
            set schedule "always" 
            set groups "ldap-group"
            set utm-status enable 
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
        next
    end

    This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.

  5. Verify the behavior after the user successfully logs in:

    # diagnose wad user list
    ID: 1825, IP: 10.1.100.71, VDOM: vdom1   
        user name   : test1 
        duration    : 497 
        auth_type   : Session 
        auth_method : NTLM   
        pol_id      : 1   g_id        : 5   
        user_based  : 0   e
        xpire      : 103   
        LAN:
            bytes_in=2167 bytes_out=7657   
        WAN:
            bytes_in=3718 bytes_out=270
To support individual users for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.177"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure the user group and allow user-based matching:

    config user group
        edit "ldap-group"
            set member "ldap" "ldap-kerberos"
            config match
                edit 1
                    set server-name "ldap-kerberos"
                    set group-name "test1"
                next
            end
        next
    end
  3. Create an authentication scheme and rule:

    config authentication scheme
        edit "au-ntlm"
            set method ntlm
            set domain-controller "dc1"
        next
    end
    config authentication rule
        edit "ru-ntlm"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "au-ntlm"
        next
    end
  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set groups "ldap-group"
            set utm-status enable
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
        next
    end

    This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named test1.

    To verify the configuration using the CLI:
    diagnose wad user list
        ID: 1827, IP: 10.1.15.25, VDOM: vdom1   
        user name   : test1   
        duration    : 161   
        auth_type   : Session   
        auth_method : NTLM   
        pol_id      : 1   
        g_id        : 5   
        user_based  : 0   
        expire      : 439   
        LAN:
                bytes_in=1309 bytes_out=4410 
          WAN:
                bytes_in=2145 bytes_out=544

Agentless NTLM authentication for web proxy

Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

  • Multiple servers
  • Individual users

You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

To support multiple domain controllers for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.177"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure multiple domain controllers:

    config user domain-controller
        edit "dc1"
            set ip-address 172.18.62.177 
            config extra-server
                edit 1
                    set ip-address 172.18.62.220 
                next 
            end
            set ldap-server "ldap-kerberos" 
        next 
    end
  3. Create an authentication scheme and rule:

    config authentication scheme 
        edit "au-ntlm"
            set method ntlm
            set domain-controller "dc1"
        next 
    end
    config authentication rule 
        edit "ru-ntlm"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "au-ntlm"
        next 
    end
  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy     
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all" 
            set dstaddr "all" 
            set service "web" 
            set action accept 
            set schedule "always" 
            set groups "ldap-group"
            set utm-status enable 
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
        next
    end

    This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.

  5. Verify the behavior after the user successfully logs in:

    # diagnose wad user list
    ID: 1825, IP: 10.1.100.71, VDOM: vdom1   
        user name   : test1 
        duration    : 497 
        auth_type   : Session 
        auth_method : NTLM   
        pol_id      : 1   g_id        : 5   
        user_based  : 0   e
        xpire      : 103   
        LAN:
            bytes_in=2167 bytes_out=7657   
        WAN:
            bytes_in=3718 bytes_out=270
To support individual users for agentless NTLM using the CLI:
  1. Configure an LDAP server:

    config user ldap
        edit "ldap-kerberos"
            set server "172.18.62.177"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password *********
        next
    end
  2. Configure the user group and allow user-based matching:

    config user group
        edit "ldap-group"
            set member "ldap" "ldap-kerberos"
            config match
                edit 1
                    set server-name "ldap-kerberos"
                    set group-name "test1"
                next
            end
        next
    end
  3. Create an authentication scheme and rule:

    config authentication scheme
        edit "au-ntlm"
            set method ntlm
            set domain-controller "dc1"
        next
    end
    config authentication rule
        edit "ru-ntlm"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "au-ntlm"
        next
    end
  4. In the proxy policy, append the user group for authorization:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set groups "ldap-group"
            set utm-status enable
            set av-profile "av"
            set ssl-ssh-profile "deep-custom"
        next
    end

    This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named test1.

    To verify the configuration using the CLI:
    diagnose wad user list
        ID: 1827, IP: 10.1.15.25, VDOM: vdom1   
        user name   : test1   
        duration    : 161   
        auth_type   : Session   
        auth_method : NTLM   
        pol_id      : 1   
        g_id        : 5   
        user_based  : 0   
        expire      : 439   
        LAN:
                bytes_in=1309 bytes_out=4410 
          WAN:
                bytes_in=2145 bytes_out=544