Technical Tip: Enforcing Kerberos instead of NTLM on FSSO Collector Agent
Description
This article describes how to enforce Kerberos usage instead of NTLM in FSSO Collector Agent.
Scope
FSSO Collector Agent 5.0.0325 and higher.
Solution
The FSSO (Fortinet Single-Sign-On) Collector Agent monitors user logins in a Windows Active Directory environment and is able to share this login information with FortiGates for a seamless user experience while still enabling access management based on user identity and group memberships.
To detect and manage the logins, the Collector Agent uses NTLM in a few instances. These are:
- Event Log Polling.
- Workstation checks.
- As NTLM proxy for FortiGate proxy authentication.
Event log polling:
The Collector Agent has two main methods to collect user login information, via DC Agent mode, and via Event Log Polling.
Event Log Polling involves the Collector Agent authenticating itself to the domain controllers and reading the Windows Security Event Logs. The authentication step typically involves the use of NTLM.
Workstation checks:
As part of login maintenance (checking if logins are still accurate), the Collector Agent connects to users' workstations and verifies what user is currently logged in. The connection involves the use of WMI, and as part of that the FSSO service account authenticates itself via NTLM.
NTLM Proxy:
FortiGate can be set up to authenticate traffic via explicit/transparent proxy. NTLM is one of the available authentication options. FortiGate can be configured to either authenticate users via NTLM directly to domain controllers, or it can be set up to use an FSSO Collector Agent for NTLM authentication instead. If the latter is chosen, then the NTLM authentication traffic is essentially transported via the existing FSSO session between FortiGate and Collector Agent, and the Collector Agent performs the actual NTLM authentication against a domain controller.
FSSO Collector Agent version 5.0.0325 and higher also introduces a new feature to enforce Kerberos authentication for the service account instead of NTLM. This affects Polling Mode and workstation checks.
The optional setting is available under 'Show Monitored DCs' -> 'Select DC to Monitor...' -> 'Polling Mode' -> 'Check Windows Security Event Logs'.
While the setting is only visible when Polling Mode is enabled, it also applies to DC Agent mode.
If the Collector Agent is in DC Agent mode and cannot be temporarily switched to Polling Mode to enable the setting, the setting can also be enabled via registry.
The key for this needs to be added under '\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent'. The key is called 'ep_enforce_kerberos', has the DWORD type, and needs to be set to 1.
After the key is added, the FSSO service needs to be restarted for the change to take effect.
In older versions, there are a few workarounds available instead:
- DC Agent mode.
Polling mode requires that the Collector Agent actively connects to and authenticates on the domain controllers it accesses. DC Agent mode instead relies on DC Agents to forward observed login activity to Collector Agent, so the FSSO service account does not have to authenticate to domain controllers. - Disabling workstation check.
Workstation checks are enabled by default, and set to five minutes. Setting the timer 'Workstation verify interval' to zero disables the workstation check. This means the Collector Agent no longer verifies if the user detected during login is still active on the workstation, and some FSSO logins may become stale before eventually being discarded due to timeouts. - Removing NTLM authentication support.
NTLM authentication support is disabled by default on the Collector Agent, and if enabled, can be toggled off as well. This setting only applies to FortiGates using the Collector Agent to proxy NTLM authentication requests - it does not impact the Collector Agent using NTLM as part of Polling Mode or workstation checks.
Related document: