DescriptionAgentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller using the SMB protocol (no agent is required). This authentication method is only supported for proxy policies. The set domain-controller command is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.
This article describes how to configure this feature.
SolutionThis needs to be configured from CLI using the commands given below, make sure LDAP is already configured on FortiGate:
#config user domain-controller
edit <name>
set ip-address <dc-ip>
set port <port> - default = 445
set domain-name <dns-name>
set ldap-server <name>
next
end
#config authentication scheme
edit <name>
set method ntlm
set domain-controller <dc-setting>
next
end
#config authentication rule
edit <name>
set srcaddr "all"
set active-auth-method 'ntlm'
next
end
#config authentication setting
set active-auth-scheme <select ntlm scheme>
end
#config system dns
set primary x.x.x.x -> local dns server to resolve domain name
set secondary x.x.x.x
end
Verification:
#diagnose wad user list
ID: 178, IP: 10.120.0.174, VDOM: root
user name : SNDP
duration : 13
auth_type : 1
auth_method : 2
pol_id : 1
g_id : 2
user_based : 0
expire : 593
LAN:
bytes_in=45885 bytes_out=55762
WAN:
bytes_in=49728 bytes_out=40434
auth_method = 2 <-----Means the user has been authenticated with NTLM.
