FortiGate can collect additional information about authenticated users from corporate Microsoft Exchange Servers. After a user logs in, the additional information can be viewed in various parts of the GUI.
The Exchange connector must be mapped to the LDAP server that is used for authentication.
The following attributes are retrieved:
|
USER_INFO_FULL_NAME |
USER_INFO_COMPANY |
USER_INFO_CITY |
|
USER_INFO_FIRST_NAME |
USER_INFO_DEPARTMENT |
USER_INFO_STATE |
|
USER_INFO_LAST_NAME |
USER_INFO_GROUP |
USER_INFO_POSTAL_CODE |
|
USER_INFO_LOGON_NAME |
USER_INFO_TITLE |
USER_INFO_COUNTRY |
|
USER_INFO_TELEPHONE |
USER_INFO_MANAGER |
USER_INFO_ACCOUNT_EXPIRES |
|
USER_INFO_EMAIL |
USER_INFO_STREET |
|
|
USER_INFO_USER_PHOTO |
USER_INFO_POST_OFFICE_BOX |
|
Kerberos Key Distribution Center (KDC) automatic discovery is enabled by default. The FortiGate must be able to use DNS to resolve the KDC IP addresses, otherwise the FortiGate will be unable to retrieve additional user information from the Exchange Server.
KDC automatic discovery can be disabled, and one or more internal IP addresses that the FortiGate can reach can be configured for KDC.
The Override server IP address is enabled when the IP address of the Exchange server cannot be resolved by DNS and must be entered manually.
To configure an Exchange connector in the GUI:
- Go to Security Fabric > External Connectors and click Create New.
- In the Endpoint/Identity section, click Exchange Server.
- Set Name to exchange140.
- Set Exchange account to Administrator@W2K8-SERV1.FORTINET-FSSO.COM.
Administrator is the username, W2K8-SERV1 is the exchange server name, and FORTINET-FSSO.COM is the domain name.
- Set Password to the password.
- Enable Override server IP address and set it to 10.1.100.140.
- Ensure that Auto-discover KDC is enabled.
If Auto-discover KDC is disabled, one or more KDC IP addresses can be manually entered.
- Click OK.
To link the connector to the LDAP server in the GUI:
- Go to User & Authentication > LDAP Servers.
- Edit an existing LDAP server, or click Create New to create a new one.
- Enable Exchange server, and select the connector from the list.
- Configure the remaining settings as required.
- Click OK.
To configure an Exchange connector with automatic KDC discovery in the CLI:
config user exchange
edit "exchange140"
set server-name "W2K8-SERV1"
set domain-name "FORTINET-FSSO.COM"
set username "Administrator"
set password **********
set ip 10.1.100.140
set auto-discover-kdc enable
next
end
To link the connector to the LDAP server in the CLI:
config user ldap
edit "openldap"
set server "172.18.60.213"
set cnid "cn"
set dn "dc=fortinet-fsso,dc=com"
set type regular
set username "cn=Manager,dc=fortinet-fsso,dc=com"
set password **********
set group-member-check group-object
set group-object-filter "(&(objectclass=groupofnames)(member=*))"
set member-attr "member"
set user-info-exchange-server "exchange140"
next
end
Verification
To verify that KDC auto-discovery is working:
# diagnose wad debug enable category all # diagnose wad debug enable level verbose # diagnose debug enable # diagnose wad user exchange test-auto-discover
wad_diag_session_acceptor(3115): diag socket 20 accepted.
__wad_fmem_open(557): fmem=0x12490bd8, fmem_name='cmem 9188 bucket', elm_sz=9188, block_sz=73728, overhead=0, type=advanced
Starting auto-discover test for all configured user-exchanges.
[NOTE]: If any errors are returned, try manually configuring IPs for the reported errors.
wad_rpc_nspi_test_autodiscover_kdc(1835): Starting DNS SRV request for srv(0x7f938e052050) query(_kerberos._udp.FORTINET-FSSO.COM)
wad_dns_send_srv_query(705): 1:0: sending DNS SRV request for remote peer _kerberos._udp.FORTINET-FSSO.COM id=0
1: DNS response received for remote host _kerberos._udp.FORTINET-FSSO.COM req-id=0
wad_dns_parse_srv_resp(409): _kerberos._udp.FORTINET-FSSO.COM: resp_type(SUCCESS)
srv[0]: name(w2k12-serv1.fortinet-fsso.com) port(88) priority(0) weight(100)
addr[0]: 10.1.100.131
addr[1]: 10.6.30.131
addr[2]: 172.16.200.131
addr[3]: 2003::131
addr[4]: 2001::131
srv[1]: name(fsso-core-DC.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
addr[0]: 10.6.30.16
addr[1]: 172.16.200.16
srv[2]: name(w2k12-serv1.Fortinet-FSSO.COM) port(88) priority(0) weight(100)
addr[0]: 10.1.100.131
addr[1]: 172.16.200.131
addr[2]: 10.6.30.131
addr[3]: 2001::131
addr[4]: 2003::131
wad_rpc_nspi_dns_on_discover_kdc_done(1787): Received response for DNS autodiscover req(0x7f938dfe8050) query(_kerberos._udp.FORTINET-FSSO.COM) n_rsp(3)
Completed auto-discover test for all configured user-exchanges.
To check the collected information after the user has been authenticated:
- In the GUI, go to Dashboard > Assets & Identities, expand the Firewall Users widget, and hover over the user name.
- In the CLI, run the following diagnose command:
# diagnose wad user info 20 test1 'username' = 'test1' 'sourceip' = '10.1.100.185' 'vdom' = 'root' 'cn' = 'test1' 'givenName' = 'test1' 'sn' = 'test101' 'userPrincipalName' = 'test1@Fortinet-FSSO.COM' 'telephoneNumber' = '604-123456' 'mail' = 'test1@fortinet-fsso.com' 'thumbnailPhoto' = '/tmp/wad/user_info/76665fff62ffffffffffffffffffff75ff68fffffffffa' 'company' = 'Fortinet' 'department' = 'Release QA' 'memberOf' = 'CN=group321,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'memberOf' = 'CN=g1,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'memberOf' = 'CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'memberOf' = 'CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'manager' = 'CN=test6,OU=Testing,DC=Fortinet-FSSO,DC=COM' 'streetAddress' = 'One Backend Street 1901' 'l' = 'Burnaby' 'st' = 'BC' 'postalCode' = '4711' 'co' = 'Canada' 'accountExpires' = '9223372036854
If the results are not as expected, verify what information FortiGate can collect from the Exchanger Server:
# diagnose test application wad 2500 # diagnose test application wad 162