Can't authenticate with alternative domain UPN suffix on Fortiproxy

Question

I recently added a UPN suffix to our domain and when a user logs into their workstation using the new UPN domain, e.g. user@domain.local, I can not get the Fortiproxy to authenticate the user. I have followed older write up on how to strip the domain suffix from the UPN, but I can't get it to work.

I'm running v7.0.7, have configured Kerbose user, LDAP server and verified it can validate the user (without the UPN suffix) and it works, but I just can't seem to get the Fortiproxy to strip the UPN suffix off the user account automatically to authenticate them. I have tried everything from leaving the account-key-filter as the default when created to the existing userPrincipalName the image shows.

User event logs shows either User failed in authentication or User failed in group information query and I know it has to do with not stripping the UPN suffix but this is kicking my tail!!!!!

Any help would be greatly appreciated!!!

ldap config.png

mturic · Answer

Hi Paul,

from what I see, I think you need to change your account-key-filter to filter to the sAMAccountName format. This would strip the domain suffixes from the UPN part, and would search only for your username as a sAMAccountName value.
The only prerequisite for this to work, however, is that your UPN without the domain suffix and sAMAccountName values are identical on your AD.

config user ldap

edit xxxxxxx

set account-key-processing strip

set account-key-name "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

end

You can also check this KB for further reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Strip-domain-strings-from-a-UPN-in-Kerberos/ta-p/198782

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded