Technical Tip: Using NTLM as a backup authentication for FSSO in FortiProxy

Description

This article explains how to configure NTLM as a backup for FSSO on FortiProxy.

Scope

FortiProxy in FortiGate.

Solution

FortiProxy Configuration:

1) Configure an Authentication Scheme as NTLM:

# show full-configuration authentication scheme

# config authentication scheme

edit "NTLM"

set method ntlm

set fsso-agent-for-ntlm "FSSO"

set fsso-guest disable

next

end

In the above, FSSO is selected as the agent. FortiProxy uses NTLM authentication from the FSSO agent that has already been integrated.

Below is the FSSO agent configured:

# show user fsso

# config user fsso

edit "FSSO"

set server "10.14.3.113"

set password ENC 1mLVYZTQ2L5iR7r9TAw3WiGhRZsxCtL+MqhfGQomAQQp5c2NiISnVvCFWKX/kzzLhC6yD4nNwd+gUdLxKVYi01EILRMRdgmXqLpZ7hKVi5iadKad5Fo7L6PuBKUjpZX9BvCw4tiMemELWeItmvSnogvSsN6gxxweHa4ulLTPRObDK2BYqaCq2Q==

set ldap-server "LDAP"

next

end

It is also possible to select the AD as the NTLM agent.

2) Configure the authentication scheme:

# show authentication rule

# config authentication rule

edit "NTLM"

set srcintf "port2" <-- port2 is the interface on which the NTLM authentication is desired.

set srcaddr "all" <-- A source chosen as required.

set active-auth-method "NTLM" <-- Calls the NTLM authentication scheme configured above.

next

end

3) Configuring the policy:

# show firewall policy 3

# config firewall policy

edit 3

set type explicit-web

set name "TEST"

set uuid be1ae90c-b280-51ed-a111-97957e1ed575

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set explicit-web-proxy "web-proxy"

set logtraffic all

set groups "FSSO" <-- FSSO is the group created for FSSO users.

next

end

FSSO group

# show user group FSSO

# config user group

edit "FSSO"

set group-type fsso-service

set member "CN=Administrator,CN=Users,DC=example,DC=com" "CN=exfortigate,CN=Users,DC=example,DC=com"

"CN=Joshi,CN=Users,DC=example,DC=com" "CN=paterson,CN=Users,DC=example,DC=com" "CN=test,CN=Users,DC=example,DC=com"

"CN=test1,CN=Users,DC=example,DC=com" "CN=thrilok,CN=Users,DC=example,DC=com"

next

end

Next, verify the authentication:

Check if the user is already part of the auth list with below command:

# di wad user list

WAD debug:

[I]2023-04-27 06:20:25.924793 [p:1041][s:550660593][r:2696] wad_dump_http_request :2674 hreq=0x7f7b6b12b958 Received request from client: 10.14.3.178:55915 <-- Request received from the PC, which is not part of FSSO list.

CONNECT msn.com:443 HTTP/1.1
Host: msn.com:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==

[I]2023-04-27 06:20:25.924801 [p:1041][s:550660593][r:2696] wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0
[I]2023-04-27 06:20:25.924807 [p:1041][s:550660593][r:2696] wad_http_conn_req_classify :5851 no security profile HTTPS/HTTP, tport=443
[V]2023-04-27 06:20:25.924810 [p:1041][s:550660593][r:2696] wad_url_match_find :141 Empty url-matcher!
[V]2023-04-27 06:20:25.924812 [p:1041][s:550660593][r:2696] wad_http_req_check_dns :75 hn=0x7f7b6aa08620 sn=0x7f7b6aa08738
[V]2023-04-27 06:20:25.924816 [p:1041][s:550660593][r:2696] wad_http_req_proc_dst :11891 HTTP req=0x7f7b6b12b958 check destination/quarantine ret=0
[V]2023-04-27 06:20:25.924820 [p:1041][s:550660593][r:2696] wad_http_req_check_policy :11516 start match policy vd=0(ses_ctx:cx|Phx|Me|Hh|C|A7|O) (0.0.0.0:0@4->204.79.197.219:443@3) absUrl=1
[I]2023-04-27 06:20:25.924823 [p:1041][s:550660593][r:2696] wad_fast_match_is_enable :3705 fast matching is enabled
[V]2023-04-27 06:20:25.924828 [p:1041][s:550660593][r:2696] wad_fast_match_get_dst_intf :3472 Get key dst intf:1
[V]2023-04-27 06:20:25.924830 [p:1041][s:550660593][r:2696] wad_fast_match_pol_array :3509 Try to maching pol:0, 0/1(pos/sz)
[I]2023-04-27 06:20:25.924833 [p:1041][s:550660593][r:2696] wad_fast_match_pol_array :3539 fw_pol_id=3(pol_ctx:xhcf|Ad|7?|=p) pol_id=0(pflag:H|W|U|A) asyn_in
fo=1
[V]2023-04-27 06:20:25.924835 [p:1041][s:550660593][r:2696] wad_fw_policy_set_check_id :5214 pol_id=3 dev_cked=0 <-- traffic matching the policy ID 3.
[I]2023-04-27 06:20:25.924839 [p:1041][s:550660593][r:2696] wad_http_req_get_user :11029 process=1041 auth-rule=NTLM user=/0/0 ip-based/auth-cookie/transact=1/0/0 tp_proxy_auth=0 auth_req=0x7f7b6b2046c8 auth_line=0x7f7b6af1e1c8 <-- matching the auth-rule NTLM.

++ Output Omitted ++

[I]2023-04-27 06:20:26.008812 [p:1041][s:550660593][r:2696] wad_http_auth_status_proc :10321 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=challenge <-- The firewall initiated the auth challenge to the user machine.
[I]2023-04-27 06:20:26.008817 [p:1041][s:550660593][r:2696] __wad_http_build_replmsg_resp :783 Generating replacement message. 407 error repmsg_id 15

++ Output Omitted ++

[I]2023-04-27 06:20:26.008922 [p:1041][s:550660593][r:2696] wad_dump_fwd_http_resp :2689 hreq=0x7f7b6b12b958 Forward response from Internal: <-- Challenge response sent to the user machine.

HTTP/1.1 407 Proxy authentication required
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAFgomiaMiGbXAV+WUAAAAAAAAAAKoAqgBGAAAACgA5OAAAAA9FAFgAQQBNAFAATABFAAIADgBFAFgAQQBNAFAATABFAAEAGgBUAEEAQwBIAFkATwBOAC
0ASwBWAE0AMAA5AAQAFgBlAHgAYQBtAHAAbABlAC4AYwBvAG0AAwAyAHQAYQBjAGgAeQBvAG4ALQBrAHYAbQAwADkALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0ABQAWAGUAeABhAG0AcABsAGUALgBjAG8AbQAHAAgA7gZO7
dx42QEAAAAA
Content-Length: 29243

++ Output Omitted ++

[V]2023-04-27 06:20:26.230336 [p:1041] wad_unix_stream_on_read_data :426 WAD unix stream socket 74 read (0,4080)
[1041] read [(0,83) (83 00 00 00 43 00 00 00 36 00 00 00 00 00 00 00 10 00 05 00 26 00 00 00 54 48 52 49 4c 4f 4b 40 45 58 41 4d 50 4c 45 00 43 4e 3d 54 48 52 49 4c 4f
4b 2c 43 4e 3d 55 53 45 52 53 2c 44 43 3d 45 58 41 4d 50 4c 45 2c 44 43 3d 43 4f 4d 00 46 53 53 4f 00 )(....C...6...........&...THRILOK@EXAMPLE.CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM.FSSO.)] <-- Proxy receiving the response with user name.
[I]2023-04-27 06:20:26.230406 [p:1041] wad_fsae_proc_ntlm_result :453 uname=THRILOK@EXAMPLE uname_len=15 grp=CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM grp_len=37 svrname_len=5
[I]2023-04-27 06:20:26.230413 [p:1041] wad_sso_group_parse :183 make membership=0x7f7b6b28b4f8 n_member=1
[member 1 len=37]: CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.230418 [p:1041] wad_fsae_ntlm_notify :445 uname=THRILOK@EXAMPLE ms=0x7f7b6b28b4f8 uname_len=15
[I]2023-04-27 06:20:26.230423 [p:1041] wad_http_auth_update_user_ext2 :2908 updating user. ip: 10.14.3.178, type:IP

++ Output Omitted ++

[V]2023-04-27 06:20:26.262558 [p:1038] wad_usr_info_get_msg :1861 user_info_svr recv msg type:7 size:144, id=0
[V]2023-04-27 06:20:26.262603 [p:1038] wad_info_trigger_add_user_to_book :513 Found user example.com/thrilok@example in book
[V]2023-04-27 06:20:26.262626 [p:1038] wad_ldap_usr_dn_filter :1100 filter=(&(userPrincipalName=thrilok@example)(!(UserAccountControl:1.2.840
.113556.1.4.803:=2)))
[V]2023-04-27 06:20:26.262665 [p:1038] wad_ldap_msg_build :3347 send request message len=351
[V]2023-04-27 06:20:26.262670 [p:1038] wad_ldap_conn_send_req :3799 ldap_conn=0x7fe8d3393938 req=0x7fe8d324b938 msg=0x7fe8d329e6c8.
[V]2023-04-27 06:20:26.262674 [p:1038] wad_ldap_conn_proc_end :3738 ldap_conn=0x7fe8d3393938 proc=1 state=2 good=1
[V]2023-04-27 06:20:26.262677 [p:1038] wad_ldap_request_submit :3925 admin request sendout on conn=0x7fe8d3393938, server:10.14.3.113
[V]2023-04-27 06:20:26.262685 [p:1038] wad_info_inventory_user_name_cmp :165 Comparing users example.com/thrilok@example and example.com/thrilok@example
[V]2023-04-27 06:20:26.262687 [p:1038] wad_info_inventory_user_add :1564 adding user example.com/thrilok@example with src ip 10.14.3.178
[V]2023-04-27 06:20:26.262691 [p:1038] wad_info_attr_create_string :73 Adding attribute of type domain name and value example.com
[V]2023-04-27 06:20:26.262699 [p:1038] wad_info_attr_merge :328 Merging the two attributes t=domain name,v=example.com and t=domain name,v=example.com
[V]2023-04-27 06:20:26.262702 [p:1038] wad_info_attr_create_string :73 Adding attribute of type username and value thrilok@example
[V]2023-04-27 06:20:26.262704 [p:1038] wad_info_attr_merge :328 Merging the two attributes t=username,v=thrilok@example and t=username,v=thrilok@example
[V]2023-04-27 06:20:26.262706 [p:1038] wad_info_attr_create_time :87 Adding attribute of type logon time and value 1682586366
[V]2023-04-27 06:20:26.262708 [p:1038] wad_info_attr_merge :328 Merging the two attributes t=logon time,v=1682586366 and t=logon time,v=1682586366
[V]2023-04-27 06:20:26.262710 [p:1038] wad_info_inventory_update_user_ip :1450 Updating user example.com/thrilok@example with ip 10.14.3.178 <-- After the authentication completes, the proxy creates a database entry.
[V]2023-04-27 06:20:26.262713 [p:1038] wad_info_attr_create_string :73 Adding attribute of type sourceip and value 10.14.3.178
[V]2023-04-27 06:20:26.262715 [p:1038] wad_usr_info_proc_msg :1903 user info proc msg ret=1

Above is the log of FortiProxy validating with the FSSO agent.

[V]2023-04-27 06:20:26.264744 [p:1041] wad_authenticated_user_proc_msg_header:1472 msg=RespAdd code=OK seq=12 data_len=0
[I]2023-04-27 06:20:26.264748 [p:1041] wad_authenticated_proc_user_add_resp:712 code=0
[I]2023-04-27 06:20:26.264750 [p:1041][s:550660593][r:2697] wad_inform_req_user_add_notify :669 Reponse Add-User from informer: succ auth_req=0x7f7b6b2046c8
[W]2023-04-27 06:20:26.264754 [p:1041][s:550660593][r:2697] wad_ntlm_user_add_notify :393 auth-st=7 add-auth-st=1
[I]2023-04-27 06:20:26.264759 [p:1041][s:550660593][r:2697] wad_auth_membership_match :1279 grp(FSSO): id=2 type=active-dir member_sz=7; user(THRILOK@EXAMPLE) : type=active-dir ms=0x7f7b6b28b4f8 ms-type=0 member_sz=1
[I]2023-04-27 06:20:26.264763 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=43/CN=Administrator,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264765 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=41/CN=exfortigate,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264766 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=35/CN=Joshi,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264768 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used =THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264770 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=38/CN=paterson,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264771 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=34/CN=test,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264773 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264775 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=35/CN=test1,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264776 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264777 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=37/CN=thrilok,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264779 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264782 [p:1041][s:550660593][r:2697] wad_usr_collect_usrgrp :2056 Match grp(FSSO): SUCCESS
[I]2023-04-27 06:20:26.264784 [p:1041][s:550660593][r:2697] wad_auth_membership_match :1279 grp(Guest-group): id=1 type=firewall member_sz=1; user(THRILOK@EXAMPLE): type=active-dir ms=0x7f7b6b28b4f8 ms-type=0 member_sz=1
[I]2023-04-27 06:20:26.264788 [p:1041][s:550660593][r:2697] wad_auth_membership_match :1279 grp(SSO_Guest_Users): id=16777215 type=guest member_sz=0; user(THRILOK@EXAMPLE): type=active-dir ms=0x7f7b6b28b4f8 ms-type=0 member_sz=1
[I]2023-04-27 06:20:26.265866 [p:1041][s:550660593][r:2697] wad_http_auth_status_proc :10321 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=success
[V]2023-04-27 06:20:26.265877 [p:1041][s:550660593][r:2697] __wad_hauth_user_node_hold :2244 wad_http_auth_status_proc (10334): holding node 0x7f7b6af3f858
[V]2023-04-27 06:20:26.265920 [p:1041][s:550660593][r:2697] wad_http_authz_line_remove :941 usrnod=0x7f7b6af3f858 user=THRILOK@EXAMPLE auth_line=0x7f7b6af1e3c8
[I]2023-04-27 06:20:26.265924 [p:1041][s:550660593][r:2697] wad_http_authz_line_remove :984 req/user/active/scheme/rem: 0x7f7b6b12b958/THRILOK@EXAMPLE/1/ntlm/1
[I]2023-04-27 06:20:26.265928 [p:1041][s:550660593][r:2697] wad_fast_match_is_enable :3705 fast matching is enabled
[I]2023-04-27 06:20:26.265932 [p:1041][s:550660593][r:2697] __wad_fw_policy_match_user :3883 matched cached grp:FSSO <-- After the authentication and group matched with the FSSO group.

++ Output Omitted++

[V]2023-04-27 06:20:26.253010 [p:1032] wad_informer_server_proc_msg_header:1970 msg=ReqAdd code=OK seq=12 data_len=193
[W]2023-04-27 06:20:26.253019 [p:1032] wad_informer_proc_user_adding :1491 reader: ip=10.14.3.178:55915 vf=0 seq=0 grp_type=1 scheme=2 is_ntlm=0 has_fsae=0 active_auth=1 tp_proxy_auth=0 concur_user=65536 domain=''
[I]2023-04-27 06:20:26.253024 [p:1032] wad_informer_update_user_ext :811 ip=10.14.3.178:55915 name=THRILOK@EXAMPLE from=worker
[I]2023-04-27 06:20:26.253027 [p:1032] wad_informer_find_user_ip_entries :650 find=false(1) vf=0 ip=10.14.3.178:55915 pr=(nil)mapping user_node:0x7f9d099682a8, user_ip:0x7f9d0993f7b8(0), user:0x7f9d099479e8(0).
[I]2023-04-27 06:20:26.253068 [p:1032] wad_informer_find_user_fsae_pr :692 find=false: count=0 vf=0 ip=10.14.3.178:55915
[V]2023-04-27 06:20:26.253075 [p:1032] wad_inform_msg_hdr_get :582 msg=RespAdd code=OK seq=12
[V]2023-04-27 06:20:26.253077 [p:1032] wad_informer_server_proc_msg_header:1970 msg=ReqReport code=OK seq=0 data_len=12
[I]2023-04-27 06:20:26.253079 [p:1032] wad_informer_proc_user_report_number:1344 from worker process: 1041
[I]2023-04-27 06:20:26.253082 [p:1032] wad_informer_proc_calc_total_user :1326 total shared user of all workers: 2
[I]2023-04-27 06:20:26.253084 [p:1032] wad_informer_proc_calc_total_user :1329 vd: 0, user of all workers: 2
[I]2023-04-27 06:20:26.253087 [p:1032] wad_unix_stream_flush_data :595 WAD unix stream stream 0x7f9d09977048 write (1,12) [1032] write [(1,12) (1f 00 00 00 0c 00 00 00 00 00 00 00 )(............)]
[I]2023-04-27 06:20:26.336876 [p:1041][s:550660593] wad_tcp_port_on_connect :2090 TCP connection 0x7f7b6aac51c0 fd=81 connected 10.5.20.107:49590->204.79.197.219:443
[V]2023-04-27 06:20:26.336891 [p:1041][s:550660593] wad_cache_port_connected :1719 session=0x7f7b6ae7f410
[V]2023-04-27 06:20:26.336899 [p:1041][s:550660593][r:2697] wad_http_srv_connected :6299 proto=10 req=0x7f7b6b12b958 tun_non_http=1 expect_tun=0
[V]2023-04-27 06:20:26.336904 [p:1041][s:550660593][r:2697] wad_tcp_port_out_read_block :1020 tcp_port 0x7f7b6aac4f10 fd=80 on=0 n_out_block=1 in(/out)_shutdown=0/0 closed=0 state=2.
[V]2023-04-27 06:20:26.336908 [p:1041][s:550660593][r:2697] wad_tcp_port_out_read_block :1040 tcp_port=0x7f7b6aac4f10 transport on=0
[V]2023-04-27 06:20:26.336911 [p:1041][s:550660593][r:2697] wad_tcp_port_transport_read_block :979 tcp_port 0x7f7b6aac4f10 fd=80 on=0 n_out_block=1 in(/out)_shutdown=0/0 closed=0 events=0x41.
[V]2023-04-27 06:20:26.336914 [p:1041][s:550660593][r:2697] wad_http_msg_strm_resume :1027 strm resumed, execute=wad_http_clt_read_req_line is_clt=1
[W]2023-04-27 06:20:26.336919 [p:1041][s:550660593][r:2697] wad_fw_policy_async_match :5335 no policy to match.
[V]2023-04-27 06:20:26.336921 [p:1041][s:550660593][r:2697] wad_setup_shaping_policy :486 did not match any shaping policy
[V]2023-04-27 06:20:26.336932 [p:1041][s:550660593][r:2697] wad_http_connect_server :6966 http session 0x7f7b6aee5f18 req=0x7f7b6b12b958
[V]2023-04-27 06:20:26.336936 [p:1041][s:550660593][r:2697] wad_http_srv_still_good :6600 srv(0x7f7b6bb6e7a0) nontp(1) dst_type(1)req: dst:204.79.197.219:443, proto:10)hcs: dst:204.79.197.219:443, proto:10)
[I]2023-04-27 06:20:26.336941 [p:1041][s:550660593][r:2697] wad_http_connect_server :7021 [0x7f7b6b12b958] Use old server: 204.79.197.219:443
[V]2023-04-27 06:20:26.336944 [p:1041][s:550660593][r:2697] wad_http_req_conn_svr :8622 http session 0x7f7b6aee5f18 req=0x7f7b6b12b958 connected
[V]2023-04-27 06:20:26.336966 [p:1041][s:550660593][r:2697] wad_http_req_exec_tunnel_convert :4919 hs=0x7f7b6aee5f18 ssl_proc=intercept=pass deep_scan=0 ret=1
[I]2023-04-27 06:20:26.336969 [p:1041][s:550660593][r:2697] wad_dump_fwd_http_resp :2689 hreq=0x7f7b6b12b958 Forward response from Internal:

HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0

Above is the FortiProxy response to the server, which confirms that the proxy was able to connect to the server at msn.com.

After the authentication, validate the user:

# di wad user list

ID: 12, VDOM: root, IPv4: 10.14.3.178
user name : THRILOK@EXAMPLE
worker : 0
duration : 3707 <-- Duration that the user has been authenticated.
auth_type : IP
auth_method : NTLM
pol_id : 3
g_id : 2 <-- Group ID the user is part of.
user_based : 0
expire : no
LAN:
bytes_in=4167157 bytes_out=27528587
WAN:
bytes_in=26727074 bytes_out=4055570