What’s the difference between HTTP/User authentication and Site-Publish? Which solution is recommended?
You can treat Site-Publish as a substitute and better solution to replace HTTP authentication.
Most HTTP/User authentication functions can be implemented by Site-Publish, and FortiWeb recommends using Site-Publish policies instead of HTTP/User authentication policies for better future up-to-date technical support.
How will authentication server pool members be used to authenticate clients if multiple remote servers are contained in one pool for Site-Publish rule?
When you configure a site publishing rule that offloads authentication for a web application to FortiWeb, you use an authentication server pool to specify the method and server that FortiWeb uses to authenticate clients.
The pool can contain one or more servers that use either LDAP or RADIUS to authenticate clients. FortiWeb attempts to authenticate clients using the server at the top of the list of pool members, and then continues to the next member down in the list if the authentication is unsuccessful, and so on. You can use the list options to adjust the position of each item in the list.
FortiWeb supports a user to change password (CPW) after a successful login. This function works in two scenarios:
A user must change password at next logon.
A user must change password when it is expired.
LDAP CPW is supported on 7.0.x and 6.3.x, and Radius CPW is supported from 7.0.2. CPW support does not need extra configuration on FortiWeb, but it requires that CPW is enabled on LDAP or Radius servers.
Some configuration tips on FortiWeb:
The Client Authentication Method in Site Publish rule should be set as HTML Form Authentication;
LDAP: Bind Type in LDAP Server should be Regular;
Radius: Authentication Scheme in Radius Server should be MS-CHAP-V2;
You can actively check I want to change my password after logging in to change the password, or passively be required to change the password by the LDAP or Radius server.
Change password at next login: