Technical Tip: Agentless NTLM Authentication for proxy

Sandeep_FTNT · ‎11-14-2019

Description

Agentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller using the SMB protocol (no agent is required). This authentication method is only supported for proxy policies. The set domain-controller command is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

This article describes how to configure this feature.

Solution

This needs to be configured from CLI using the commands given below, make sure LDAP is already configured on FortiGate:

#config user domain-controller
    edit <name>
        set ip-address <dc-ip>
        set port <port> - default = 445
        set domain-name <dns-name>
        set ldap-server <name>
   next
end

#config authentication scheme
    edit <name>
        set method ntlm
        set domain-controller <dc-setting>
   next
end

#config authentication rule
    edit <name>
        set srcaddr "all"
        set active-auth-method 'ntlm'
    next
end

#config authentication setting
    set active-auth-scheme <select ntlm scheme>
end

#config system dns
set primary x.x.x.x -> local dns server to resolve domain name
set secondary x.x.x.x
end

Verification:
#diagnose wad user list
ID: 178, IP: 10.120.0.174, VDOM: root
user name   : SNDP
duration    : 13
auth_type   : 1
auth_method : 2
pol_id      : 1
g_id        : 2
user_based : 0
expire      : 593
LAN:
    bytes_in=45885 bytes_out=55762
WAN:
    bytes_in=49728 bytes_out=40434

auth_method = 2                                                                <-----Means the user has been authenticated with NTLM.

Technical Tip: Agentless NTLM Authentication for proxy

You are leaving our website