Description
This article explains how to set up Microsoft Entra Domain Services with secure LDAP and connect it to FortiGate. Follow the steps to add a custom domain, configure Entra Domain Services, enable secure LDAP, and import certificates. Command line instructions for FortiGate integration are also provided.
Scope
FortiGate.
Solution
- Set up your domain by following this article from Microsoft: Add a custom domain.
Note:
When setting up the custom domain, ensure that the TXT or MX records from Azure are added to the managed domain. As shown in the screenshot below, TXT records have been created in the GoDaddy DNS Management.
It is then possible to create and configure Microsoft Entra Domain Services. Follow this guide for the full setup: Create a Microsoft Entra Domain Services instance
- Enable and configure the secure LDAP features in Microsoft Entra Domain Services: Configure secure LDAP. In this process, it will be necessary to create a certificate to upload to the LDAP settings. Just a quick tip, follow the Microsoft guide to create a certificate or create personal one on the certificate server. The important part is obtaining the CA certificate, as FortiGate requires it.
- Import the CA certificate by going to System -> Certificates -> Create/Import -> CA Certificate -> File, and select 'Upload'.
- Connect the FortiGate to the Azure LDAPS. Just make sure to follow the below steps.
Command Line:
config user ldap
edit "Azure-LDAP"
set server "172.190.141.131" -> LDAPS external IP address is listed in the Properties
set server-identity-check disable
set cnid "mail" # mail as Common Name Identifier
set dn "dc=pitou,dc=online" -> your domain
set type regular
set username "user1@adcorp.site" -> your credentials
set password <your-password>
set secure ldaps
set ca-cert "azure-ldaps-ca" -> LDAPS CA Certificate
set port 636
next
end
To rename the CA certificate, just follow these CLI commands:
Command Line:
config vpn certificate ca
rename CA_Cert_1 to azure-ldaps-ca
end
After that, the LDAPS connection status will connect.
Results:
ld = ldap_open("10.1.0.4", 389);
Established connection to 10.1.0.4.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=pitou,DC=online;
currentTime: 9/6/2023 1:16:44 PM Coordinated Universal Time;
defaultNamingContext: DC=pitou,DC=online;
dnsHostName: AM0KXYLAGGL34RH.pitou.online;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=AM0KXYLAGGL34RH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pitou,DC=online;
forestFunctionality: 7 = ( WIN2016 );
highestCommittedUSN: 203752;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: pitou.online:am0kxylaggl34rh$@PITOU.ONLINE;
namingContexts (5): DC=pitou,DC=online; CN=Configuration,DC=pitou,DC=online; CN=Schema,CN=Configuration,DC=pitou,DC=online; DC=DomainDnsZones,DC=pitou,DC=online; DC=ForestDnsZones,DC=pitou,DC=online;
rootDomainNamingContext: DC=pitou,DC=online;
schemaNamingContext: CN=Schema,CN=Configuration,DC=pitou,DC=online;
serverName: CN=AM0KXYLAGGL34RH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pitou,DC=online;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=pitou,DC=online;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255 = ( SET_OWNER ); 1.2.840.113556.1.4.2256 = ( BYPASS_QUOTA ); 1.2.840.113556.1.4.2309 = ( LINK_TTL ); 1.2.840.113556.1.4.2330; 1.2.840.113556.1.4.2354;
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='user1'; Pwd=<unavailable>; domain = 'pitou.online'}
Authenticated as: 'PITOU\user1'.-->FINALLY AUTHENTICATED
-----------
