Fortinet black logo

CLI Reference

waf site-publish-helper rule

waf site-publish-helper rule

Use this command to configure access control, authentication, and, optionally, SSO for your web applications.

You may want to configure single sign-on (SSO) and combination access control and authentication (called “site publishing” in the GUI) instead of configuring simple HTTP authentication rules if:

  • Your users access multiple web applications on your domain
  • You have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server

SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your configuration) an HTML authentication form or HTTP WWW-Authenticate: code to the client.

FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires, subsequent requests from the client to the same or other web applications in the same domain do not require the client to authenticate..

For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your users will only need to authenticate once while using those resources.

Before you configure site publishing, you must first define the queries to your authentication server. For details, see user ldap-user and server-policy custom-application application-policy.

FortiWeb supports the following additional site publishing options:

  • RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username and password (two-factor authentication)
  • RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only (no password)
  • Regular Kerberos authentication delegation and Kerberos constrained delegation

For details about these options, see the descriptions of the individual site publishing rule settings and the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf site-publish-helper rule

edit "<site-publish-rule_name>"

set status {enable | disable}

set req-type {plain | regular}

set cookieless {enable | disable}

set saml-server "<server_name>"

set service-principal-name-pool "<pool_name>"

set published-site "<host_fqdn>"

set path "<url_str>"

set client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth}

set logoff-path-type {plain | regular}

set Published-Server-Logoff-Path "<url_str>"

set cookie-timeout <timeout_int>

set kerberos-type {krb5 | spnego}

set auth-server-pool "<authentication-server-pool_name>"

set auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm}

set field-name {subject | SAN}

set attribution-name {email | UPN}

set pass-failed-auth {enable | disable}

set delegated-spn "<delegated-spn_str>"

set keytab-file <keytab_file>

set delegator-spn "<delegator-spn_str>"

set prefix-support {enable | disable}

set prefix-domain "<prefix-domain_str>"

set alert-type {all | fail | none | success}

set sso-support {enable | disable}

set sso-domain "<domain_str>"

set cookieless {enable | disable}

set append-custom-header {enable | disable}

set custom-header-name <custom-header-name_str>

set custom-header-value-format <custom-header-value-format_str>

set pass-failed-auth {enable | disable}

set cache-tgs-ticket {enable | disable}

next

end


Variable Description Default

"<site-publish-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

status {enable | disable}

Enable to activate this rule.

This can be used to temporarily deactivate access to a single web application without removing it from a site publishing policy.

enable

req-type {plain | regular}

Select whether published-site "<host_fqdn>" contains a literal FQDN (plain), or a regular expression designed to match multiple host names or fully qualified domain names (regular). plain

cookieless {enable | disable}

Enable to authenticate clients without using cookies.

disable

saml-server "<server_name>"

Select the SAML server that FortiWeb uses to authenticate clients.

Available only when client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is set to saml-auth.

No default.

service-principal-name-pool "<pool_name>"

Select the SPN pool for the application that clients access using this site publish rule.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos or kerberos-constrained-delegation.

No default.

published-site "<host_fqdn>"

Depending on your selection in req-type {plain | regular}, enter either:

  • The literal Host: name, such as sharepoint.example.com, that the HTTP request must contain in order to match the rule.
  • A regular expression, such as ^*\.example\.edu, matching only the host names to which the rule should apply.

The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

path "<url_str>"

Enter the URL of the request for the web application, such as /owa. It must begin with a forward slash ( / ). No default.

client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth}

Specify one of the following options:

  • html-form-authFortiWeb authenticates clients by presenting an HTML web page with an authentication form. When the authentication cookie expires, FortiWeb replies to the first request without a valid authentication cookie with a 200 (OK) status code and injects HTML into the response, showing the user the login page.
  • http-authFortiWeb authenticates clients by replying to the request with a 401 (Unauthorized) status code, and the browser displays a traditional, browser-specific authentication prompt.
  • client-cert-authFortiWeb validates the HTTP client’s personal certificate using the certificate verifier specified in the associated server policy or server pool configuration.
  • saml-authFortiWeb uses a SAML server to pass identity information to a service provider via a signed XML document for client authentication. When the authentication cookie expires, FortiWeb replies to the first request without a valid authentication cookie with a 301 (Moved Temporarily) status code, forcing the browser to direct to the authentication page.

If waf site-publish-helper rule is enable, only http_auth is allowed here.

html-form-auth

logoff-path-type {plain | regular}

Specify whether Published-Server-Logoff-Path contains a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

Published-Server-Logoff-Path "<url_str>"

This setting appears only if client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is html-form-auth.

Depending on the value of logoff-path-type, enter one of the following values:

  • The literal URL of the request that a client sends to log out of the application (for example, /owa/auth/logoff.aspx .
  • A regular expression that matches the request that a client sends to log out of the application.

Ensure that the value is a sub-path of the path value. For example, if path is /owa, /owa/auth/logoff.aspx is a valid value.

When a client logs out of the web application, FortiWeb redirects the client to its authentication dialog.

Note:Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

cookie-timeout <timeout_int>

Specify the length of time (in minutes) that passes before the cookie that the site publish rule adds expires and the client must re-authenticate.

The valid range is 0–216,000. To disable the limit, enter 0.

If waf site-publish-helper rule is enable, this must be 0.

If you enter a value of 0, the browser only deletes the cookie when the user closes all browser windows.

0

auth-server-pool "<authentication-server-pool_name>"

Enter the name of the pool of servers that FortiWeb uses to authenticate clients. For details, see waf site-publish-helper authentication-server-pool. No default.

auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm}

Specify one of the following options:

  • http-basic—Use HTTP Authorization: headers with Base64 encoding to forward the client’s credentials to the web application. Typically, you should select this option if the web application supports HTTP protocol-based authentication.

    Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is html-form-auth or http-auth.

  • kerberos—After it authenticates the client via the HTTP form or HTTP basic method, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding.

    Available only if client-auth-method is html-form-auth or http-auth.

  • kerberos-constrained-delegation—After it authenticates the client’s certificate, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding.

    Available only if client-auth-method is client-cert-auth.

  • no-delegationFortiWeb does not send the client’s credentials to the web application.

    Select this option when the web application has no authentication of its own or uses HTML form-based authentication.

    Note: If the web application uses HTML form-based authentication, the client is required to authenticate twice: once with FortiWeb and once with the web application’s form.

  • ntlmFortiWeb uses NT LAN Manager (NTLM) for authentication delegation. This is a challenge/response authentication protocol that FortiWeb uses to verify the identify of clients attempting to connect to the server(s).

    Note: If the POST method request triggers NTLM authentication, the request body cannot exceed 100M.

If waf site-publish-helper rule is enable, only no_delegation or http-basic is allowed here.

Not available when rsa-securid {enable | disable} is set to enable.

no-delegation

field-name {subject | SAN}

Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username:

  • subject—The email address value in the certificate’s Subject information.

    For attribution-name {email | UPN}, select email.

  • SAN—The certificate’s subjectAltName (Subject Alternative Name or SAN) and either the User Principal Name (UPN) or the email address value in the certificate’s Subject information.

    For attribution-name, enter UPN or email.

    In certificates issued in a Windows environment, the certificate’s SAN and UPN contain the username. For example:

    username@domain

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

SAN

attribution-name {email | UPN}

Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username:

  • email—The email address value in the certificate’s Subject information.

    For field-name {subject | SAN}, enter subject or SAN.

  • UPN—The User Principal Name (UPN) value.

    For field-name, enter SAN.

Note: Because the email value can be an alias rather than the real DC (domain controller) domain, the most reliable method for determining the username is SAN and UPN.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

UPN

delegated-spn "<delegated-spn_str>"

Specify the Service Principal Name (SPN) for the web application that clients access using this site publish rule.

A service principal name uses the following format:

<service_type >/<instance_name>:<port_number>/
<service_name>

For example, for an Exchange server that belongs to the domain dc1.com and has the hostname USER-U3LOJFPLH1, the SPN is http/USER-U3LOJFPLH1.dc1.com@DC1.COM.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos or kerberos-constrained-delegation.

No default.

keytab-file <keytab_file>

Specify the keytab file configuration for the AD user that FortiWeb uses to obtain Kerberos service tickets for clients. For details, see waf site-publish-helper keytab_file.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

No default.

delegator-spn "<delegator-spn_str>"

Specify the Service Principal Name (SPN) that you used to generate the keytab specified by keytab-file <keytab_file>.

This is the SPN of the AD user that FortiWeb uses to obtain a Kerberos service tickets for clients.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

No default.

prefix-support {enable | disable}

Enable to allow users in environments that require users to log in using both a domain and username to log in with just a username. Also specify prefix-domain "<prefix-domain_str>".

In some environments, the domain controller requires users to log in with the username format domain\username. For example, if the domain is example.com and the username is user1, the user enters EXAMPLE\user1.

Alternatively, enable this option and enter EXAMPLE for prefix-domain "<prefix-domain_str>". The user enters user1 for the username value and FortiWeb automatically adds EXAMPLE\ to the HTTP Authorization: header before it forwards it to the web application.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is http-basic or kerberos.

enable

prefix-domain "<prefix-domain_str>"

Enter a domain name that FortiWeb adds to the HTTP Authorization: header before it forwards it to the web application.

Available only when prefix-support {enable | disable} is enabled.

If auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos, ensure that the string is the full domain name (for example, example.com).

No default.

sso-domain "<domain_str>"

Enter the domain suffix of Host: names that will be allowed to share this rule’s authentication sessions, such as .example.com. Include the period ( . ) that precedes the host’s name. No default.

sso-support {enable | disable}

Enable for single sign-on support.

For example, if this website is www1.example.com and the SSO domain is .example.com, once a client has authenticated with that site, it can access www2.example.com without authenticating a second time.

Site publishing SSO sessions exist on FortiWeb only; they are not synchronized to the authentication and/or accounting server, and therefore SSO is not shared with non-web applications. For SSO with other protocols, consult the documentation for your FortiGate or other firewall.

If waf site-publish-helper rule is enable, this must be disable.

disable

alert-type {all | fail | none | success}

Specify which site publishing-related authentication events the FortiWeb appliance will log and/or send an alert email about.

  • all
  • fail
  • success
  • none

Event log messages contain the user name, authentication type, success or failure, and source address (for example, User jdoe [Site Publish] login successful from 172.0.2.5) when an end-user successfully authenticates. A similar message is recorded if the authentication fails (for example, User hackers [Site Publish] login failed from 172.0.2.5).

Note: Logging and/or alert email occurs only if it is enabled and configured. For details, see log disk and log alertMail.

none

cookieless {enable | disable}

Enable to allow Android clients to access to Microsoft Exchange servers through Exchange ActiveSync protocol.

Note: If this is enabled, these are restrictions are put in place:

disable
kerberos-type {krb5 | spnego} Two kinds of authorization mechanisms are available, which are used by web servers to retrieve the Kerberos tickets.
Available only when Authentication Delegation is Kerberos.
spnego
pass-failed-auth {enable | disable} Enable it so that FortiWeb can be configured when Kerberos Constrained Delegation fails.
Available only when client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is client-cert-auth, and

auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

disable
append-custom-header {enable | disable} Enable this option to forward the username to the back-end server in HTTP header.
disable
custom-header-name <custom-header-name_str> Enter a name for the HTTP header. You can change it to any name as you desire, e.g. X-FWB-Uname, useraccount. Special characters are not supported.
X-FWB-Username
custom-header-value-format <custom-header-value-format_str> Enter the format for the value, such as aaa-USERNAME-bbb, xxx-USERNAME, or USERNAME. Special characters are not supported. It must contain "USERNAME" in the value format. FortiWeb replaces the "USERNAME" with the actual username when forwarding the HTTP header to the back-end server.
xxx-USERNAME-XXX
pass-failed-auth {enable | disable} This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation. When it is disabled and Kerberos Constrained Delegation fails, 500 and Account Failed Authentication pages will be returned.
enable
cache-tgs-ticket {enable | disable} This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation or Kerberos to control whether caching kerberos tgs ticket. When pass-failed-auth {enable | disable} is disabled, this option will also be disabled.
enable

Example

This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com domain.

config waf site-publish-helper authentication-server-pool

edit "LDAP server pool"

edit 1

set server-type ldap

set ldap-server "LDAP query 1"

end

next

end

config waf site-publish-helper authentication-server-pool

edit "RADIUS server pool"

edit 1

set server-type radius

set ldap-server "RADIUS query 1"

end

next

end

config waf site-publish-helper rule

edit "Outlook"

set published-site "^*\.example\.edu"

set auth-server-pool "LDAP server pool"

set auth-delegation http-basic

set sso-support enable

set sso-domain ".example.edu"

set path "/owa"

set alert-type fail

set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff

next

edit "Sharepoint"

set published-site ^*\\.example\\.edu

set req-type regular

set auth-server-pool "RADIUS server pool"

set auth-delegation http-basic

set sso-support enable

set sso-domain ".example.edu"

set path "/sharepoint"

set alert-type fail

next

end

config waf site-publish-helper policy

edit "example_com_apps"

config rule

edit 1

set rule-name "Outlook"

next

edit 2

set rule-name "Sharepoint"

next

end

next

end

Related topics

waf site-publish-helper rule

Use this command to configure access control, authentication, and, optionally, SSO for your web applications.

You may want to configure single sign-on (SSO) and combination access control and authentication (called “site publishing” in the GUI) instead of configuring simple HTTP authentication rules if:

  • Your users access multiple web applications on your domain
  • You have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server

SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your configuration) an HTML authentication form or HTTP WWW-Authenticate: code to the client.

FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires, subsequent requests from the client to the same or other web applications in the same domain do not require the client to authenticate..

For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your users will only need to authenticate once while using those resources.

Before you configure site publishing, you must first define the queries to your authentication server. For details, see user ldap-user and server-policy custom-application application-policy.

FortiWeb supports the following additional site publishing options:

  • RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username and password (two-factor authentication)
  • RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only (no password)
  • Regular Kerberos authentication delegation and Kerberos constrained delegation

For details about these options, see the descriptions of the individual site publishing rule settings and the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf site-publish-helper rule

edit "<site-publish-rule_name>"

set status {enable | disable}

set req-type {plain | regular}

set cookieless {enable | disable}

set saml-server "<server_name>"

set service-principal-name-pool "<pool_name>"

set published-site "<host_fqdn>"

set path "<url_str>"

set client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth}

set logoff-path-type {plain | regular}

set Published-Server-Logoff-Path "<url_str>"

set cookie-timeout <timeout_int>

set kerberos-type {krb5 | spnego}

set auth-server-pool "<authentication-server-pool_name>"

set auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm}

set field-name {subject | SAN}

set attribution-name {email | UPN}

set pass-failed-auth {enable | disable}

set delegated-spn "<delegated-spn_str>"

set keytab-file <keytab_file>

set delegator-spn "<delegator-spn_str>"

set prefix-support {enable | disable}

set prefix-domain "<prefix-domain_str>"

set alert-type {all | fail | none | success}

set sso-support {enable | disable}

set sso-domain "<domain_str>"

set cookieless {enable | disable}

set append-custom-header {enable | disable}

set custom-header-name <custom-header-name_str>

set custom-header-value-format <custom-header-value-format_str>

set pass-failed-auth {enable | disable}

set cache-tgs-ticket {enable | disable}

next

end


Variable Description Default

"<site-publish-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

status {enable | disable}

Enable to activate this rule.

This can be used to temporarily deactivate access to a single web application without removing it from a site publishing policy.

enable

req-type {plain | regular}

Select whether published-site "<host_fqdn>" contains a literal FQDN (plain), or a regular expression designed to match multiple host names or fully qualified domain names (regular). plain

cookieless {enable | disable}

Enable to authenticate clients without using cookies.

disable

saml-server "<server_name>"

Select the SAML server that FortiWeb uses to authenticate clients.

Available only when client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is set to saml-auth.

No default.

service-principal-name-pool "<pool_name>"

Select the SPN pool for the application that clients access using this site publish rule.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos or kerberos-constrained-delegation.

No default.

published-site "<host_fqdn>"

Depending on your selection in req-type {plain | regular}, enter either:

  • The literal Host: name, such as sharepoint.example.com, that the HTTP request must contain in order to match the rule.
  • A regular expression, such as ^*\.example\.edu, matching only the host names to which the rule should apply.

The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

path "<url_str>"

Enter the URL of the request for the web application, such as /owa. It must begin with a forward slash ( / ). No default.

client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth}

Specify one of the following options:

  • html-form-authFortiWeb authenticates clients by presenting an HTML web page with an authentication form. When the authentication cookie expires, FortiWeb replies to the first request without a valid authentication cookie with a 200 (OK) status code and injects HTML into the response, showing the user the login page.
  • http-authFortiWeb authenticates clients by replying to the request with a 401 (Unauthorized) status code, and the browser displays a traditional, browser-specific authentication prompt.
  • client-cert-authFortiWeb validates the HTTP client’s personal certificate using the certificate verifier specified in the associated server policy or server pool configuration.
  • saml-authFortiWeb uses a SAML server to pass identity information to a service provider via a signed XML document for client authentication. When the authentication cookie expires, FortiWeb replies to the first request without a valid authentication cookie with a 301 (Moved Temporarily) status code, forcing the browser to direct to the authentication page.

If waf site-publish-helper rule is enable, only http_auth is allowed here.

html-form-auth

logoff-path-type {plain | regular}

Specify whether Published-Server-Logoff-Path contains a literal URL (plain), or a regular expression designed to match multiple URLs (regular).

Published-Server-Logoff-Path "<url_str>"

This setting appears only if client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is html-form-auth.

Depending on the value of logoff-path-type, enter one of the following values:

  • The literal URL of the request that a client sends to log out of the application (for example, /owa/auth/logoff.aspx .
  • A regular expression that matches the request that a client sends to log out of the application.

Ensure that the value is a sub-path of the path value. For example, if path is /owa, /owa/auth/logoff.aspx is a valid value.

When a client logs out of the web application, FortiWeb redirects the client to its authentication dialog.

Note:Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

cookie-timeout <timeout_int>

Specify the length of time (in minutes) that passes before the cookie that the site publish rule adds expires and the client must re-authenticate.

The valid range is 0–216,000. To disable the limit, enter 0.

If waf site-publish-helper rule is enable, this must be 0.

If you enter a value of 0, the browser only deletes the cookie when the user closes all browser windows.

0

auth-server-pool "<authentication-server-pool_name>"

Enter the name of the pool of servers that FortiWeb uses to authenticate clients. For details, see waf site-publish-helper authentication-server-pool. No default.

auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm}

Specify one of the following options:

  • http-basic—Use HTTP Authorization: headers with Base64 encoding to forward the client’s credentials to the web application. Typically, you should select this option if the web application supports HTTP protocol-based authentication.

    Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is html-form-auth or http-auth.

  • kerberos—After it authenticates the client via the HTTP form or HTTP basic method, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding.

    Available only if client-auth-method is html-form-auth or http-auth.

  • kerberos-constrained-delegation—After it authenticates the client’s certificate, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding.

    Available only if client-auth-method is client-cert-auth.

  • no-delegationFortiWeb does not send the client’s credentials to the web application.

    Select this option when the web application has no authentication of its own or uses HTML form-based authentication.

    Note: If the web application uses HTML form-based authentication, the client is required to authenticate twice: once with FortiWeb and once with the web application’s form.

  • ntlmFortiWeb uses NT LAN Manager (NTLM) for authentication delegation. This is a challenge/response authentication protocol that FortiWeb uses to verify the identify of clients attempting to connect to the server(s).

    Note: If the POST method request triggers NTLM authentication, the request body cannot exceed 100M.

If waf site-publish-helper rule is enable, only no_delegation or http-basic is allowed here.

Not available when rsa-securid {enable | disable} is set to enable.

no-delegation

field-name {subject | SAN}

Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username:

  • subject—The email address value in the certificate’s Subject information.

    For attribution-name {email | UPN}, select email.

  • SAN—The certificate’s subjectAltName (Subject Alternative Name or SAN) and either the User Principal Name (UPN) or the email address value in the certificate’s Subject information.

    For attribution-name, enter UPN or email.

    In certificates issued in a Windows environment, the certificate’s SAN and UPN contain the username. For example:

    username@domain

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

SAN

attribution-name {email | UPN}

Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username:

  • email—The email address value in the certificate’s Subject information.

    For field-name {subject | SAN}, enter subject or SAN.

  • UPN—The User Principal Name (UPN) value.

    For field-name, enter SAN.

Note: Because the email value can be an alias rather than the real DC (domain controller) domain, the most reliable method for determining the username is SAN and UPN.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

UPN

delegated-spn "<delegated-spn_str>"

Specify the Service Principal Name (SPN) for the web application that clients access using this site publish rule.

A service principal name uses the following format:

<service_type >/<instance_name>:<port_number>/
<service_name>

For example, for an Exchange server that belongs to the domain dc1.com and has the hostname USER-U3LOJFPLH1, the SPN is http/USER-U3LOJFPLH1.dc1.com@DC1.COM.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos or kerberos-constrained-delegation.

No default.

keytab-file <keytab_file>

Specify the keytab file configuration for the AD user that FortiWeb uses to obtain Kerberos service tickets for clients. For details, see waf site-publish-helper keytab_file.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

No default.

delegator-spn "<delegator-spn_str>"

Specify the Service Principal Name (SPN) that you used to generate the keytab specified by keytab-file <keytab_file>.

This is the SPN of the AD user that FortiWeb uses to obtain a Kerberos service tickets for clients.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

No default.

prefix-support {enable | disable}

Enable to allow users in environments that require users to log in using both a domain and username to log in with just a username. Also specify prefix-domain "<prefix-domain_str>".

In some environments, the domain controller requires users to log in with the username format domain\username. For example, if the domain is example.com and the username is user1, the user enters EXAMPLE\user1.

Alternatively, enable this option and enter EXAMPLE for prefix-domain "<prefix-domain_str>". The user enters user1 for the username value and FortiWeb automatically adds EXAMPLE\ to the HTTP Authorization: header before it forwards it to the web application.

Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is http-basic or kerberos.

enable

prefix-domain "<prefix-domain_str>"

Enter a domain name that FortiWeb adds to the HTTP Authorization: header before it forwards it to the web application.

Available only when prefix-support {enable | disable} is enabled.

If auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos, ensure that the string is the full domain name (for example, example.com).

No default.

sso-domain "<domain_str>"

Enter the domain suffix of Host: names that will be allowed to share this rule’s authentication sessions, such as .example.com. Include the period ( . ) that precedes the host’s name. No default.

sso-support {enable | disable}

Enable for single sign-on support.

For example, if this website is www1.example.com and the SSO domain is .example.com, once a client has authenticated with that site, it can access www2.example.com without authenticating a second time.

Site publishing SSO sessions exist on FortiWeb only; they are not synchronized to the authentication and/or accounting server, and therefore SSO is not shared with non-web applications. For SSO with other protocols, consult the documentation for your FortiGate or other firewall.

If waf site-publish-helper rule is enable, this must be disable.

disable

alert-type {all | fail | none | success}

Specify which site publishing-related authentication events the FortiWeb appliance will log and/or send an alert email about.

  • all
  • fail
  • success
  • none

Event log messages contain the user name, authentication type, success or failure, and source address (for example, User jdoe [Site Publish] login successful from 172.0.2.5) when an end-user successfully authenticates. A similar message is recorded if the authentication fails (for example, User hackers [Site Publish] login failed from 172.0.2.5).

Note: Logging and/or alert email occurs only if it is enabled and configured. For details, see log disk and log alertMail.

none

cookieless {enable | disable}

Enable to allow Android clients to access to Microsoft Exchange servers through Exchange ActiveSync protocol.

Note: If this is enabled, these are restrictions are put in place:

disable
kerberos-type {krb5 | spnego} Two kinds of authorization mechanisms are available, which are used by web servers to retrieve the Kerberos tickets.
Available only when Authentication Delegation is Kerberos.
spnego
pass-failed-auth {enable | disable} Enable it so that FortiWeb can be configured when Kerberos Constrained Delegation fails.
Available only when client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth} is client-cert-auth, and

auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation | ntlm} is kerberos-constrained-delegation.

disable
append-custom-header {enable | disable} Enable this option to forward the username to the back-end server in HTTP header.
disable
custom-header-name <custom-header-name_str> Enter a name for the HTTP header. You can change it to any name as you desire, e.g. X-FWB-Uname, useraccount. Special characters are not supported.
X-FWB-Username
custom-header-value-format <custom-header-value-format_str> Enter the format for the value, such as aaa-USERNAME-bbb, xxx-USERNAME, or USERNAME. Special characters are not supported. It must contain "USERNAME" in the value format. FortiWeb replaces the "USERNAME" with the actual username when forwarding the HTTP header to the back-end server.
xxx-USERNAME-XXX
pass-failed-auth {enable | disable} This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation. When it is disabled and Kerberos Constrained Delegation fails, 500 and Account Failed Authentication pages will be returned.
enable
cache-tgs-ticket {enable | disable} This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation or Kerberos to control whether caching kerberos tgs ticket. When pass-failed-auth {enable | disable} is disabled, this option will also be disabled.
enable

Example

This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com domain.

config waf site-publish-helper authentication-server-pool

edit "LDAP server pool"

edit 1

set server-type ldap

set ldap-server "LDAP query 1"

end

next

end

config waf site-publish-helper authentication-server-pool

edit "RADIUS server pool"

edit 1

set server-type radius

set ldap-server "RADIUS query 1"

end

next

end

config waf site-publish-helper rule

edit "Outlook"

set published-site "^*\.example\.edu"

set auth-server-pool "LDAP server pool"

set auth-delegation http-basic

set sso-support enable

set sso-domain ".example.edu"

set path "/owa"

set alert-type fail

set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff

next

edit "Sharepoint"

set published-site ^*\\.example\\.edu

set req-type regular

set auth-server-pool "RADIUS server pool"

set auth-delegation http-basic

set sso-support enable

set sso-domain ".example.edu"

set path "/sharepoint"

set alert-type fail

next

end

config waf site-publish-helper policy

edit "example_com_apps"

config rule

edit 1

set rule-name "Outlook"

next

edit 2

set rule-name "Sharepoint"

next

end

next

end

Related topics