Technical Tip: Using NTLM as a backup authentication for FSSO in FortiProxy

tthrilok · ‎04-27-2023

Description

This article explains how to configure NTLM as a backup for FSSO on FortiProxy.

Scope

FortiProxy in FortiGate.

Solution

FortiProxy Configuration:

1) Configure an Authentication Scheme as NTLM:

# show full-configuration authentication scheme

# config authentication scheme

edit "NTLM"

set method ntlm

set fsso-agent-for-ntlm "FSSO"

set fsso-guest disable

In the above, FSSO is selected as the agent. FortiProxy uses NTLM authentication from the FSSO agent that has already been integrated.

Below is the FSSO agent configured:

# show user fsso

# config user fsso

edit "FSSO"

set server "10.14.3.113"

set password ENC 1mLVYZTQ2L5iR7r9TAw3WiGhRZsxCtL+MqhfGQomAQQp5c2NiISnVvCFWKX/kzzLhC6yD4nNwd+gUdLxKVYi01EILRMRdgmXqLpZ7hKVi5iadKad5Fo7L6PuBKUjpZX9BvCw4tiMemELWeItmvSnogvSsN6gxxweHa4ulLTPRObDK2BYqaCq2Q==

set ldap-server "LDAP"

It is also possible to select the AD as the NTLM agent.

2) Configure the authentication scheme:

# show authentication rule

# config authentication rule

edit "NTLM"

set srcintf "port2" <-- port2 is the interface on which the NTLM authentication is desired.

set srcaddr "all" <-- A source chosen as required.

set active-auth-method "NTLM" <-- Calls the NTLM authentication scheme configured above.

3) Configuring the policy:

# show firewall policy 3

# config firewall policy

edit 3

set type explicit-web

set name "TEST"

set uuid be1ae90c-b280-51ed-a111-97957e1ed575

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set explicit-web-proxy "web-proxy"

set logtraffic all

set groups "FSSO" <-- FSSO is the group created for FSSO users.

FSSO group

# show user group FSSO

# config user group

edit "FSSO"

set group-type fsso-service

set member "CN=Administrator,CN=Users,DC=example,DC=com" "CN=exfortigate,CN=Users,DC=example,DC=com"

"CN=Joshi,CN=Users,DC=example,DC=com" "CN=paterson,CN=Users,DC=example,DC=com" "CN=test,CN=Users,DC=example,DC=com"

"CN=test1,CN=Users,DC=example,DC=com" "CN=thrilok,CN=Users,DC=example,DC=com"

Next, verify the authentication:

Check if the user is already part of the auth list with below command:

# di wad user list

WAD debug:

[I]2023-04-27 06:20:25.924793 [p:1041][s:550660593][r:2696] wad_dump_http_request :2674 hreq=0x7f7b6b12b958 Received request from client: 10.14.3.178:55915 <-- Request received from the PC, which is not part of FSSO list.

CONNECT msn.com:443 HTTP/1.1
Host: msn.com:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==

[I]2023-04-27 06:20:25.924801 [p:1041][s:550660593][r:2696] wad_http_str_canonicalize :2188 enc=0 path=/ len=1 changes=0
[I]2023-04-27 06:20:25.924807 [p:1041][s:550660593][r:2696] wad_http_conn_req_classify :5851 no security profile HTTPS/HTTP, tport=443
[V]2023-04-27 06:20:25.924810 [p:1041][s:550660593][r:2696] wad_url_match_find :141 Empty url-matcher!
[V]2023-04-27 06:20:25.924812 [p:1041][s:550660593][r:2696] wad_http_req_check_dns :75 hn=0x7f7b6aa08620 sn=0x7f7b6aa08738
[V]2023-04-27 06:20:25.924816 [p:1041][s:550660593][r:2696] wad_http_req_proc_dst :11891 HTTP req=0x7f7b6b12b958 check destination/quarantine ret=0
[V]2023-04-27 06:20:25.924820 [p:1041][s:550660593][r:2696] wad_http_req_check_policy :11516 start match policy vd=0(ses_ctx:cx|Phx|Me|Hh|C|A7|O) (0.0.0.0:0@4->204.79.197.219:443@3) absUrl=1
[I]2023-04-27 06:20:25.924823 [p:1041][s:550660593][r:2696] wad_fast_match_is_enable :3705 fast matching is enabled
[V]2023-04-27 06:20:25.924828 [p:1041][s:550660593][r:2696] wad_fast_match_get_dst_intf :3472 Get key dst intf:1
[V]2023-04-27 06:20:25.924830 [p:1041][s:550660593][r:2696] wad_fast_match_pol_array :3509 Try to maching pol:0, 0/1(pos/sz)
[I]2023-04-27 06:20:25.924833 [p:1041][s:550660593][r:2696] wad_fast_match_pol_array :3539 fw_pol_id=3(pol_ctx:xhcf|Ad|7?|=p) pol_id=0(pflag:H|W|U|A) asyn_in
fo=1
[V]2023-04-27 06:20:25.924835 [p:1041][s:550660593][r:2696] wad_fw_policy_set_check_id :5214 pol_id=3 dev_cked=0 <-- traffic matching the policy ID 3.
[I]2023-04-27 06:20:25.924839 [p:1041][s:550660593][r:2696] wad_http_req_get_user :11029 process=1041 auth-rule=NTLM user=/0/0 ip-based/auth-cookie/transact=1/0/0 tp_proxy_auth=0 auth_req=0x7f7b6b2046c8 auth_line=0x7f7b6af1e1c8 <-- matching the auth-rule NTLM.

++ Output Omitted ++

[I]2023-04-27 06:20:26.008812 [p:1041][s:550660593][r:2696] wad_http_auth_status_proc :10321 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=challenge <-- The firewall initiated the auth challenge to the user machine.
[I]2023-04-27 06:20:26.008817 [p:1041][s:550660593][r:2696] __wad_http_build_replmsg_resp :783 Generating replacement message. 407 error repmsg_id 15

++ Output Omitted ++

[I]2023-04-27 06:20:26.008922 [p:1041][s:550660593][r:2696] wad_dump_fwd_http_resp :2689 hreq=0x7f7b6b12b958 Forward response from Internal: <-- Challenge response sent to the user machine.

HTTP/1.1 407 Proxy authentication required
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAAFgomiaMiGbXAV+WUAAAAAAAAAAKoAqgBGAAAACgA5OAAAAA9FAFgAQQBNAFAATABFAAIADgBFAFgAQQBNAFAATABFAAEAGgBUAEEAQwBIAFkATwBOAC
0ASwBWAE0AMAA5AAQAFgBlAHgAYQBtAHAAbABlAC4AYwBvAG0AAwAyAHQAYQBjAGgAeQBvAG4ALQBrAHYAbQAwADkALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0ABQAWAGUAeABhAG0AcABsAGUALgBjAG8AbQAHAAgA7gZO7
dx42QEAAAAA
Content-Length: 29243

++ Output Omitted ++

[V]2023-04-27 06:20:26.230336 [p:1041] wad_unix_stream_on_read_data :426 WAD unix stream socket 74 read (0,4080)
[1041] read [(0,83) (83 00 00 00 43 00 00 00 36 00 00 00 00 00 00 00 10 00 05 00 26 00 00 00 54 48 52 49 4c 4f 4b 40 45 58 41 4d 50 4c 45 00 43 4e 3d 54 48 52 49 4c 4f
4b 2c 43 4e 3d 55 53 45 52 53 2c 44 43 3d 45 58 41 4d 50 4c 45 2c 44 43 3d 43 4f 4d 00 46 53 53 4f 00 )(....C...6...........&...THRILOK@EXAMPLE.CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM.FSSO.)] <-- Proxy receiving the response with user name.
[I]2023-04-27 06:20:26.230406 [p:1041] wad_fsae_proc_ntlm_result :453 uname=THRILOK@EXAMPLE uname_len=15 grp=CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM grp_len=37 svrname_len=5
[I]2023-04-27 06:20:26.230413 [p:1041] wad_sso_group_parse :183 make membership=0x7f7b6b28b4f8 n_member=1
[member 1 len=37]: CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.230418 [p:1041] wad_fsae_ntlm_notify :445 uname=THRILOK@EXAMPLE ms=0x7f7b6b28b4f8 uname_len=15
[I]2023-04-27 06:20:26.230423 [p:1041] wad_http_auth_update_user_ext2 :2908 updating user. ip: 10.14.3.178, type:IP

++ Output Omitted ++

[V]2023-04-27 06:20:26.262558 [p:1038] wad_usr_info_get_msg :1861 user_info_svr recv msg type:7 size:144, id=0
[V]2023-04-27 06:20:26.262603 [p:1038] wad_info_trigger_add_user_to_book :513 Found user example.com/thrilok@example in book
[V]2023-04-27 06:20:26.262626 [p:1038] wad_ldap_usr_dn_filter :1100 filter=(&(userPrincipalName=thrilok@example)(!(UserAccountControl:1.2.840
.113556.1.4.803:=2)))
[V]2023-04-27 06:20:26.262665 [p:1038] wad_ldap_msg_build :3347 send request message len=351
[V]2023-04-27 06:20:26.262670 [p:1038] wad_ldap_conn_send_req :3799 ldap_conn=0x7fe8d3393938 req=0x7fe8d324b938 msg=0x7fe8d329e6c8.
[V]2023-04-27 06:20:26.262674 [p:1038] wad_ldap_conn_proc_end :3738 ldap_conn=0x7fe8d3393938 proc=1 state=2 good=1
[V]2023-04-27 06:20:26.262677 [p:1038] wad_ldap_request_submit :3925 admin request sendout on conn=0x7fe8d3393938, server:10.14.3.113
[V]2023-04-27 06:20:26.262685 [p:1038] wad_info_inventory_user_name_cmp :165 Comparing users example.com/thrilok@example and example.com/thrilok@example
[V]2023-04-27 06:20:26.262687 [p:1038] wad_info_inventory_user_add :1564 adding user example.com/thrilok@example with src ip 10.14.3.178
[V]2023-04-27 06:20:26.262691 [p:1038] wad_info_attr_create_string :73 Adding attribute of type domain name and value example.com
[V]2023-04-27 06:20:26.262699 [p:1038] wad_info_attr_merge :328 Merging the two attributes t=domain name,v=example.com and t=domain name,v=example.com
[V]2023-04-27 06:20:26.262702 [p:1038] wad_info_attr_create_string :73 Adding attribute of type username and value thrilok@example
[V]2023-04-27 06:20:26.262704 [p:1038] wad_info_attr_merge :328 Merging the two attributes t=username,v=thrilok@example and t=username,v=thrilok@example
[V]2023-04-27 06:20:26.262706 [p:1038] wad_info_attr_create_time :87 Adding attribute of type logon time and value 1682586366
[V]2023-04-27 06:20:26.262708 [p:1038] wad_info_attr_merge :328 Merging the two attributes t=logon time,v=1682586366 and t=logon time,v=1682586366
[V]2023-04-27 06:20:26.262710 [p:1038] wad_info_inventory_update_user_ip :1450 Updating user example.com/thrilok@example with ip 10.14.3.178 <-- After the authentication completes, the proxy creates a database entry.
[V]2023-04-27 06:20:26.262713 [p:1038] wad_info_attr_create_string :73 Adding attribute of type sourceip and value 10.14.3.178
[V]2023-04-27 06:20:26.262715 [p:1038] wad_usr_info_proc_msg :1903 user info proc msg ret=1

Above is the log of FortiProxy validating with the FSSO agent.

[V]2023-04-27 06:20:26.264744 [p:1041] wad_authenticated_user_proc_msg_header:1472 msg=RespAdd code=OK seq=12 data_len=0
[I]2023-04-27 06:20:26.264748 [p:1041] wad_authenticated_proc_user_add_resp:712 code=0
[I]2023-04-27 06:20:26.264750 [p:1041][s:550660593][r:2697] wad_inform_req_user_add_notify :669 Reponse Add-User from informer: succ auth_req=0x7f7b6b2046c8
[W]2023-04-27 06:20:26.264754 [p:1041][s:550660593][r:2697] wad_ntlm_user_add_notify :393 auth-st=7 add-auth-st=1
[I]2023-04-27 06:20:26.264759 [p:1041][s:550660593][r:2697] wad_auth_membership_match :1279 grp(FSSO): id=2 type=active-dir member_sz=7; user(THRILOK@EXAMPLE) : type=active-dir ms=0x7f7b6b28b4f8 ms-type=0 member_sz=1
[I]2023-04-27 06:20:26.264763 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=43/CN=Administrator,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264765 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=41/CN=exfortigate,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264766 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=35/CN=Joshi,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264768 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used =THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264770 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=38/CN=paterson,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264771 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=34/CN=test,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264773 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264775 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=35/CN=test1,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264776 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264777 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1114 comparing grp_member=37/CN=thrilok,CN=Users,DC=example,DC=com auth_member=37/CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264779 [p:1041][s:550660593][r:2697] wad_auth_grp_member_match :1129 auth_member used CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM
[I]2023-04-27 06:20:26.264782 [p:1041][s:550660593][r:2697] wad_usr_collect_usrgrp :2056 Match grp(FSSO): SUCCESS
[I]2023-04-27 06:20:26.264784 [p:1041][s:550660593][r:2697] wad_auth_membership_match :1279 grp(Guest-group): id=1 type=firewall member_sz=1; user(THRILOK@EXAMPLE): type=active-dir ms=0x7f7b6b28b4f8 ms-type=0 member_sz=1
[I]2023-04-27 06:20:26.264788 [p:1041][s:550660593][r:2697] wad_auth_membership_match :1279 grp(SSO_Guest_Users): id=16777215 type=guest member_sz=0; user(THRILOK@EXAMPLE): type=active-dir ms=0x7f7b6b28b4f8 ms-type=0 member_sz=1
[I]2023-04-27 06:20:26.265866 [p:1041][s:550660593][r:2697] wad_http_auth_status_proc :10321 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=success
[V]2023-04-27 06:20:26.265877 [p:1041][s:550660593][r:2697] __wad_hauth_user_node_hold :2244 wad_http_auth_status_proc (10334): holding node 0x7f7b6af3f858
[V]2023-04-27 06:20:26.265920 [p:1041][s:550660593][r:2697] wad_http_authz_line_remove :941 usrnod=0x7f7b6af3f858 user=THRILOK@EXAMPLE auth_line=0x7f7b6af1e3c8
[I]2023-04-27 06:20:26.265924 [p:1041][s:550660593][r:2697] wad_http_authz_line_remove :984 req/user/active/scheme/rem: 0x7f7b6b12b958/THRILOK@EXAMPLE/1/ntlm/1
[I]2023-04-27 06:20:26.265928 [p:1041][s:550660593][r:2697] wad_fast_match_is_enable :3705 fast matching is enabled
[I]2023-04-27 06:20:26.265932 [p:1041][s:550660593][r:2697] __wad_fw_policy_match_user :3883 matched cached grp:FSSO <-- After the authentication and group matched with the FSSO group.

++ Output Omitted++

[V]2023-04-27 06:20:26.253010 [p:1032] wad_informer_server_proc_msg_header:1970 msg=ReqAdd code=OK seq=12 data_len=193
[W]2023-04-27 06:20:26.253019 [p:1032] wad_informer_proc_user_adding :1491 reader: ip=10.14.3.178:55915 vf=0 seq=0 grp_type=1 scheme=2 is_ntlm=0 has_fsae=0 active_auth=1 tp_proxy_auth=0 concur_user=65536 domain=''
[I]2023-04-27 06:20:26.253024 [p:1032] wad_informer_update_user_ext :811 ip=10.14.3.178:55915 name=THRILOK@EXAMPLE from=worker
[I]2023-04-27 06:20:26.253027 [p:1032] wad_informer_find_user_ip_entries :650 find=false(1) vf=0 ip=10.14.3.178:55915 pr=(nil)mapping user_node:0x7f9d099682a8, user_ip:0x7f9d0993f7b8(0), user:0x7f9d099479e8(0).
[I]2023-04-27 06:20:26.253068 [p:1032] wad_informer_find_user_fsae_pr :692 find=false: count=0 vf=0 ip=10.14.3.178:55915
[V]2023-04-27 06:20:26.253075 [p:1032] wad_inform_msg_hdr_get :582 msg=RespAdd code=OK seq=12
[V]2023-04-27 06:20:26.253077 [p:1032] wad_informer_server_proc_msg_header:1970 msg=ReqReport code=OK seq=0 data_len=12
[I]2023-04-27 06:20:26.253079 [p:1032] wad_informer_proc_user_report_number:1344 from worker process: 1041
[I]2023-04-27 06:20:26.253082 [p:1032] wad_informer_proc_calc_total_user :1326 total shared user of all workers: 2
[I]2023-04-27 06:20:26.253084 [p:1032] wad_informer_proc_calc_total_user :1329 vd: 0, user of all workers: 2
[I]2023-04-27 06:20:26.253087 [p:1032] wad_unix_stream_flush_data :595 WAD unix stream stream 0x7f9d09977048 write (1,12) [1032] write [(1,12) (1f 00 00 00 0c 00 00 00 00 00 00 00 )(............)]
[I]2023-04-27 06:20:26.336876 [p:1041][s:550660593] wad_tcp_port_on_connect :2090 TCP connection 0x7f7b6aac51c0 fd=81 connected 10.5.20.107:49590->204.79.197.219:443
[V]2023-04-27 06:20:26.336891 [p:1041][s:550660593] wad_cache_port_connected :1719 session=0x7f7b6ae7f410
[V]2023-04-27 06:20:26.336899 [p:1041][s:550660593][r:2697] wad_http_srv_connected :6299 proto=10 req=0x7f7b6b12b958 tun_non_http=1 expect_tun=0
[V]2023-04-27 06:20:26.336904 [p:1041][s:550660593][r:2697] wad_tcp_port_out_read_block :1020 tcp_port 0x7f7b6aac4f10 fd=80 on=0 n_out_block=1 in(/out)_shutdown=0/0 closed=0 state=2.
[V]2023-04-27 06:20:26.336908 [p:1041][s:550660593][r:2697] wad_tcp_port_out_read_block :1040 tcp_port=0x7f7b6aac4f10 transport on=0
[V]2023-04-27 06:20:26.336911 [p:1041][s:550660593][r:2697] wad_tcp_port_transport_read_block :979 tcp_port 0x7f7b6aac4f10 fd=80 on=0 n_out_block=1 in(/out)_shutdown=0/0 closed=0 events=0x41.
[V]2023-04-27 06:20:26.336914 [p:1041][s:550660593][r:2697] wad_http_msg_strm_resume :1027 strm resumed, execute=wad_http_clt_read_req_line is_clt=1
[W]2023-04-27 06:20:26.336919 [p:1041][s:550660593][r:2697] wad_fw_policy_async_match :5335 no policy to match.
[V]2023-04-27 06:20:26.336921 [p:1041][s:550660593][r:2697] wad_setup_shaping_policy :486 did not match any shaping policy
[V]2023-04-27 06:20:26.336932 [p:1041][s:550660593][r:2697] wad_http_connect_server :6966 http session 0x7f7b6aee5f18 req=0x7f7b6b12b958
[V]2023-04-27 06:20:26.336936 [p:1041][s:550660593][r:2697] wad_http_srv_still_good :6600 srv(0x7f7b6bb6e7a0) nontp(1) dst_type(1)req: dst:204.79.197.219:443, proto:10)hcs: dst:204.79.197.219:443, proto:10)
[I]2023-04-27 06:20:26.336941 [p:1041][s:550660593][r:2697] wad_http_connect_server :7021 [0x7f7b6b12b958] Use old server: 204.79.197.219:443
[V]2023-04-27 06:20:26.336944 [p:1041][s:550660593][r:2697] wad_http_req_conn_svr :8622 http session 0x7f7b6aee5f18 req=0x7f7b6b12b958 connected
[V]2023-04-27 06:20:26.336966 [p:1041][s:550660593][r:2697] wad_http_req_exec_tunnel_convert :4919 hs=0x7f7b6aee5f18 ssl_proc=intercept=pass deep_scan=0 ret=1
[I]2023-04-27 06:20:26.336969 [p:1041][s:550660593][r:2697] wad_dump_fwd_http_resp :2689 hreq=0x7f7b6b12b958 Forward response from Internal:

HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0

Above is the FortiProxy response to the server, which confirms that the proxy was able to connect to the server at msn.com.

After the authentication, validate the user:

# di wad user list

ID: 12, VDOM: root, IPv4: 10.14.3.178
user name : THRILOK@EXAMPLE
worker : 0
duration : 3707 <-- Duration that the user has been authenticated.
auth_type : IP
auth_method : NTLM
pol_id : 3
g_id : 2 <-- Group ID the user is part of.
user_based : 0
expire : no
LAN:
bytes_in=4167157 bytes_out=27528587
WAN:
bytes_in=26727074 bytes_out=4055570

crao · ‎07-10-2023

Very useful.