Technical Note : FortiOS How to avoid 'invalid certificate' messages when using NTLM authentication

Symptoms:

• A user receives 'invalid certificate' warning messages when trying to access websites using SSL.
• Deep Scanning for HTTPS is not enabled on the FortiGate.
• The symptoms persist even after changing the port for HTTPS in the FortiOS protocol options so that the traffic does not apply to traffic on port 443.

Configuration:

config firewall policy     edit 4         set srcintf "port13"         set dstintf "port14"             set srcaddr "DHCP INTERNAL"             set dstaddr "all"         set action accept         set ntlm enable         set fsso enable         set identity-based enable             config identity-based-policy                 edit 3                     set schedule "always"                     set logtraffic enable                     set utm-status enable                         set groups "Internet Access Denied"                         set service "HTTP" "HTTPS"                     set webfilter-profile "BlockAll_WebFilter"                     set profile-protocol-options "Global_Protocol"                 next                 edit 1                     set schedule "always"                     set logtraffic enable                     set utm-status enable                         set groups "Internet Social Allowed"                         set service "ANY"                     set av-profile "Global_AV"                     set webfilter-profile "Social"                     set ips-sensor "all_default_pass"                     set application-list "Standard_Apps"                     set application-charts top10-app top10-p2p-user top10-media-user                     set profile-protocol-options "Global_Protocol"                 next                 edit 2                     set schedule "always"                     set logtraffic enable                     set utm-status enable                         set groups "Domain Users"                         set service "ANY"                     set av-profile "Global_AV"                     set webfilter-profile "NoSocial"                     set ips-sensor "all_default_pass"                     set application-list "Standard_Apps"                     set application-charts top10-app top10-p2p-user top10-media-user                     set profile-protocol-options "Global_Protocol"                 next             end

Solution prior to FortiOS 5.2:

config firewall profile-protocol-options     edit "Global_Protocol"         set ssl-invalid-server-cert-log enable             config http                 set port 80                 set options clientcomfort                 set comfort-interval 1                 set comfort-amount 2048                 unset post-lang                 set oversize-limit 2             end             config https                 set port 442                 set options allow-invalid-server-cert                 unset post-lang                 set oversize-limit 1             end

Solution

The symptoms are the expected behaviour from FortiOS when NTLM is used with HTTPS.

Whilst the username details exchanges are transparent to the user, the mechanics of the FortiGate intercepts these details within the SSL stream. This in turn generates the 'invalid certificate' error message.

Even modifying the configuration to use HTTPS deep inspection will not change the behaviour as authentication and deep inspection are two separate processes on the FortiGate, with authentication coming first.

In order to avoid certificate errors and use HTTPS while authenticating, then FSSO MUST be used.

In FortiOS 5.2 it is possible to configure CA used to re-sign SSL certificates, which are inserted into SSL connection in order to intercept session and insert redirection to NTLM authentication request. Using CA certificate trusted by users is required in order to avoid invalid certificate messages.

For configuration information refer to the Authentication section of the FortiOS Handbook which is available in the Fortinet Document Library.