Syntax update for Microsoft compatibility 6.2.1
FortiGates deployed in an explicit proxy environment supports the syntax \domain\user
to support Microsoft backward compatibility authentication. In this version, both the syntax user@domain
and \domain\user
are supported.
To configure LDAP user and groups:
show user ldap ldap-kerberos config user ldap edit "ldap-kerberos" set server "172.18.62.177" set cnid "cn" set dn "dc=fortinetqa,dc=local" set type regular set username "CN=root,CN=Users,DC=fortinetqa,DC=local" set password ENC
MTAwNFfjyN9z/vpN/OIOIx+nH3XWOCEu37dfjDACEUuX/iHiKWLtg48dv8zfY5irbcl6/2j9Ti5+zuDQYLc2f/BSUAfjALZqbL4Z/CwvSg+kgExmG7RUfFoIoL+Ir11TKue2IissXuQKzjTuB5Hu8CtM9wrmqJwsVsTrksT8yFZz71JV6/M3SbezFof2yNNy2nBxGw== next end
config user group edit "ldap-group" set member "ldap-kerberos" next end
To configure authentication rule and scheme:
config authentication scheme edit "au-basic" set method basic set user-database "ldap-kerberos" next end
config authentication rule edit "all" set srcaddr "all" set ip-based disable set active-auth-method "au-basic" next
To configure a group in web proxy policy:
config firewall proxy-policy edit 1 set uuid 32a4ef88-7e7e-51e9-ccd3-9e979b2f25d1 set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set logtraffic all set groups "ldap-group" set utm-status enable set ssl-ssh-profile "deep-custom" set av-profile "av" set replacemsg-override-group "auth-proxy-policy-1558741043926" set comments "Clone of 1" next end
When you send traffic, the browser prompts for authentication by username and domain.
To verify that the user is logged in:
diagnose wad user list ID: 1, IP: 10.1.100.13, VDOM: vdom1 user name : test1 duration : 135 auth_type : Session auth_method : Basic pol_id : 6 g_id : 5 user_based : 0 expire : 575 LAN: bytes_in=2070 bytes_out=6496 WAN: