Skip to main content
Rob_it
Rob_it
New Member
September 13, 2018
Question

NTLM enabled policy not prompting for login credentials

  • September 13, 2018
  • 2 replies
  • 8319 views

Hello,

 

Fortigate 500D Firmware 5.6.5

We have an AD network with the FSSO Collector monitoring DCs (Agent mode)

FSSO configured on the FTG and FSSO user group pointing to AD user group for internet access.

IPv4 Policy setup Source: all+ FSSO Group above, Dest: all - this is working fine. Users get internet access, and appear in the Logs. 

 

We also have some Macs which we want to authenticate through the browsers, so via the CLI, I've enabled "ntlm" "ntlm-guest" and "ntlm-enable-browsers" on the above policy, but no login prompt is appearing on any browsers, no matter what I try. The Macs IP just hits the DENY rule on the logs. I've tried with a non domain windows PC too - same issue. 

 

Have I configured something wrong? Am I missing something? - been scratching my head over this for a couple of days now, any help would be appreciated. 

 

Thanks for reading.

    2 replies

    KhizerSaleem
    KhizerSaleem
    New Member
    September 15, 2018

    Hi Rob 

     

    On CLI where do you enable the ntlm, is it under authentication scheme or where?

     

    I don't know the case of Ipv4 policy, but I deployed the proxy authentication on v6.0.2 and for browser-based authentication, you have to disable IP-based command in the authentication rule.

     

    i.e config authentication rule

                      set ip-based disbale

     

    in this way, after defining the proxy policy you will get the browser-based authentication and you get the prompt for user credential.

     

     

    Rob_it
    Rob_itAuthor
    New Member
    September 17, 2018

    Hi, and thank you for replying. 

     

    I've enabled ntlm on the firewall policy (config firewall policy) 

     

    I'm still not 100% clear as to if what I am trying to do is possible on the IPv4 rules 

     

    Thanks

    KhizerSaleem
    KhizerSaleem
    New Member
    September 17, 2018

    Hi 

     

    As your concern is browser-based authentication, so it can full-fill using setup the Explicit web proxy feature. 

     

    Ready the proxy setup and configs on the CLI using authentication rules, scheme and setting and then add the proxy on a browser and in the authentication scheme use the ntlm method and disable ip-based in authentication rule.

     

    you'll get the prompt and it will browser based so after closing and re-opening browser you'll get the prompt again.

    Zain-Gilani
    Zain-Gilani
    New Member
    January 6, 2022

    I tried and it works

     

    just re-create authentication-rules and authentication-scheme then the problem will be resolved..

    Terms & ConditionsAccessibility statement