Skip to main content
James_G
James_G
New Member
September 10, 2018
Question

LDAP / NTLM authentication with explicit proxy

  • September 10, 2018
  • 1 reply
  • 8045 views

Does anyone have a simple guide to setting up LDAP / NTLM authentication with explicit proxy, without agents or DC polling, using per session HTTP authentication as documented here: https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-WAN-opt/web_proxy.htm

 

PS this unit is running FortiOS 6.0.2

 

In my mind should be simple - but I'm struggling on this one :(

    1 reply

    James_G
    James_GAuthor
    New Member
    September 10, 2018

    What I am trying to achieve is as documented here - http://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-authentication/FSAE.htm

     

    All I need is NTLM auth to explicit proxy, no other SSO

    Agentless NTLM support

    Agentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller via SMB protocol (no agent is required).

    Note that this authentication method is only supported for proxy policies.

    Syntax

    Note that domain-controller is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

    config authentication scheme

    edit <name>

    set method ntlm

    set domain-controller <dc-setting>

    next

    end

     

    config user domain-controller

    edit <name>

    set ip-address <dc-ip>

    set port <port> - default = 445

    set domain-name <dns-name>

    set ldap-server <name>

    next

    end

    blackhole_route
    blackhole_route
    New Member
    October 13, 2018

    Yes - I do have this working and can reference my configs to get all the details if you are still having trouble with this.

    IIRC, you also need to define authentication rules to select the auth scheme and backend domain controller for the traffic. And then ldap to query for group memberships after the user authenticates via ntlm.

    Terms & ConditionsAccessibility statement