NTLM Extensions
FortiOS 6.2 extends agentless Windows NT LAN Manager (NTLM) authentication to include support for the following items:
- Multiple servers
- Individual users
Previously only one server and only group matching were supported.
You can now use multiple domain controller servers for the agentless NTLM for load balancing and high service stability.
You can also use user-based matching in groups for Kerberos and agentless NTLM. For Kerberos and agentless NTLM, FortiOS matches the user's group information from an LDAP server.
To support multiple domain controllers for agentless NTLM:
- Configure an LDAP server:
config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password **********
next
end
- Configure multiple Domain Controllers:
config user domain-controller
edit "dc1"
set ip-address 172.18.62.177
config extra-server
edit 1
set ip-address 172.18.62.220
next
end
set ldap-server "ldap-kerberos"
next
end
- Create an authenticate scheme and rule:
config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end
config authentication rule
edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end
- In the proxy policy, append the user group for authorization:
config firewall proxy-policy
edit 1
set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end
This configuration uses a round-robin method. When the first user logs in, FortiGate sends the authentication request to the first domain controller. Later when another user logs in, FortiGate sends the authentication request to another domain controller. After the user successfully logs in, you can verify the behavior by using the following CLI:
FGT_A (vdom1) # diagnose wad user list
ID: 1825, IP: 10.1.100.71, VDOM: vdom1
user name : test1
duration : 497
auth_type : Session
auth_method : NTLM
pol_id : 1 g_id : 5
user_based : 0 e
xpire : 103
LAN:
bytes_in=2167 bytes_out=7657
WAN:
bytes_in=3718 bytes_out=270
To support individual users for agentless NTLM:
- Configure an LDAP server:
config user ldap
edit "ldap-kerberos"
set server "172.18.62.177"
set cnid "cn"
set dn "dc=fortinetqa,dc=local"
set type regular
set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
set password **********
next
end
- Configure user group and allow user based matching in the group:
config user group
edit "ldap-group"
set member "ldap" "ldap-kerberos"
config match
edit 1
set server-name "ldap-kerberos"
set group-name "test1"
next
end
next
end
- Create an authentication scheme and rule:
config authentication scheme
edit "au-ntlm"
set method ntlm
set domain-controller "dc1"
next
end
config authentication rule
edit "ru-ntlm"
set srcaddr "all"
set ip-based disable
set active-auth-method "au-ntlm"
next
end
- In the proxy policy, append the user group for authorization:
config firewall proxy-policy
edit 1
set uuid 6cfe58e4-2ff1-51e9-6b4c-a7d4a8db0f30
set proxy explicit-web
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set service "web"
set action accept
set schedule "always"
set groups "ldap-group"
set utm-status enable
set av-profile "av"
set ssl-ssh-profile "deep-custom"
next
end
This implementation lets you configure a single user instead of a whole group, and FortiGate will allow user named test1. You can verify the configuration by using the CLI:
diagnose wad user list
ID: 1827, IP: 10.1.15.25, VDOM: vdom1
user name : test1
duration : 161
auth_type : Session
auth_method : NTLM
pol_id : 1
g_id : 5
user_based : 0
expire : 439
LAN:
bytes_in=1309 bytes_out=4410
WAN:
bytes_in=2145 bytes_out=544