- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: NTLM authentication (FSSO fal...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article explains what are the basic things to be checked if the NTLM authentication is failed,
Scope
FortiGate.
Solution
When the user is accessing any website and if the user is not part of the domain but to make the user authenticated with the FSSO agent on the AD, it is possible to setup the NTLM as the backup in the policy:
Setup the NTLM but if the authentication is not successful, below are the basic checks that need to be done:
1) Check if the user traffic is matching the policy where the FSSO and NTLM are enabled, by using the debug flow.
2) Now the user traffic matches the policy, however, the NTLM authentication triggered is not visible.
Use below debug:
# di de reset
# di de application authd -1
# di de en
Once the above commands are run, please initiated the traffic and then please stop the debug using:
# di de di
# di de reset
The output will be visible as below:
[authd_http_wait_req:2293]: src 10.131.7.138 flag 00010000
[authd_http_read_http_message:493]: called
[authd_http_is_full_http_message:443]: called
[authd_http_on_method_get:5558]: src 10.131.7.138 flag 00010000
[authd_http_check_local_portal:1837]: src 10.131.7.138 flag 00010000
[authd_http_send_https_redir:4566]: src 10.131.7.138 flag 00010000
[authd_http_prepare_javascript_redir:3875]:http://10.131.4.136:1000/fgtauth?07050b8b9dcdf58e<----- Firewall redirecting the user to a auth page with the Token.
If the above redirection is visible, it means the firewall is sending the authentication redirection. However, if the NTLM is still not visible, make sure there is TCP port 1000/1003 open from the user network to the firewall IP in case there are any firewalls between the user network and the FortiGate firewall.
TCP port 1000 for HTTP, and TCP port 1003 for HTTPS (which are standard ports, if these ports are customized, it is necessary to check accordingly).
3) The username and password are prompted visible but authentication failed.
Run the below debugs on the firewall:
# di de reset
# di de application authd 8256
# di de en
Once the above commands are run, initiate the traffic and once the username and password are provided, stop the debug:
# di de di
# di de reset
Below is a sample output:
FG80EP-1 # fsae_io_ctx_process_msg[TEST]: received heartbeat 100005
fsae_io_ctx_process_msg[TEST]: received heartbeat 100006
fsae_send_ntlm_msg[TEST]: tag 0x88, seq 1678185000, msg "TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw=="
_process_ntlm_msg[TEST]: tag 0x89, seq 1678185000, msg "TlRMTVNTUAACAAAADgAOADgAAAAFgomi75eXesLF058AAAAAAAAAAKoAqgBGAAAACgA5OAAAAA9FAFgAQQBNAFAATABFAAIADgBFAFgAQGgBUAEEAQwBIAFkATwBOAC0ASwBWAE0AMAA5AAQAFgBlAHgAYQBtAHAAbABlAC4AYwBvAG0AAwAyAHQAYQBjAGgAeQBvAG4ALQBrAHYAbQAwADkALgBlAHgAYQBtAHAAbABlAC4AYwBvAG0ABQAWAGUAeABhAG0AcABsAGUALgBjAG8AbQAHAAgAAqDseN1a2QEAAAAA"
fsae_send_ntlm_msg[TEST]: tag 0x8a, seq 1678185000, msg "TlRMTVNTUAADAAAAGAAYAH4AAABaAVoBlgAAAAAAAABYAAAADgAOAFgAAAAYABgAZgAAAAAAAADwAQAABYKIogoAYUoAAAAP+9zA0geuXhQFt9W6qjpBPXQAaAByAGkAbABvAGsATwBYAFkARwBFAE4ALQBLAFYATQAwADkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkPieSiUngNkkx5ZWa6TGNwEBAAAAAAAAAqDseN1a2QFrTDKHrw8+7gAAAAACAA4ARQBYAEEATQBQAEwARQABABoAVABBAEMASABZAE8ATgAtAEsAVgBNADAAOQAEABYAZQB4AGEAbQBwAGwAZQAuAGMAbwBtAAMAMgB0AGEAYwBoAHkAbwBuAC0AawB2AG0AMAA5AC4AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAAUAFgBlAHgAYQBtAHAAbABlAC4AYwBvAG0ABwAIAAKg7HjdWtkBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAADjMoeB9E8m0E573vzyp10AjrCUN8grfCgAQAAAAAAAAAAAAAAAAAAAAAAAJACwASABUAFQAUAAvADEAMAAuADEAMwAxAC4ANAAuADEAMwA2ADoAMQAwADAAMAAAAAAAAAAAAA=="
_process_ntlm_result[TEST]: tag 0x8b, seq 1678185000, result 1, user THRILOK, domain EXAMPLE, groups "CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM+CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=COM+CN=USERS,CN=BUILTIN,DC=EXAMPLE,DC=COM"
'process_ntlm_result' should be visible, which means the result of the NTLM authentication with the username and group info that we received from the FSSO agent.
In lab case: username is THRILOK, the group info and DN shared by the FSSO agent are:
CN=THRILOK,CN=USERS,DC=EXAMPLE,DC=COM <----- User DN.
CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=COM <----- Group DN.
CN=USERS,CN=BUILTIN,DC=EXAMPLE,DC=COM <----- Group DN.
If the 'fsae_send_ntlm_msg' is visible, it means the firewall is not able to send the authentication challenge request to the FSSO agent, in this case:
Verify if the 'Support NTLM authentication' is enabled in the FSSO CA agent in the AD server.
From the debugs, TEST is visible:
_process_ntlm_msg[TEST]
fsae_send_ntlm_msg[TEST]
_process_ntlm_result[TEST]
In all the above debug lines, [TEST] is visible, which means the FSSO agent configuration on the firewall. In this example, the FSSO agent is configured on the firewall with the name TEST.
Validating the name of the FSSO agent from the debugs would be useful in case there are multiple FSSO agents configured on the firewall, and if the firewall is sending the authentication for the wrong agent. If that is the case, in the policy, it is possible to define the FSSO agent to which the NTLM authentication should be done, as below:
# configure firewall policy
edit 1
set ntlm enable
set fsso-agent-for-ntlm "TEST" <----- 'TEST' is in lab FSSO agent name, it is possible to define as per the agent name.
end
4) If the wrong group info is more visible than expected, go to the FSSO CA agent in the AD server and collect the logs from the agent.
Make sure that the logging level is 'debug' before the logs are taken, so it is possible to have detailed info:
03/20/2023 07:49:00 [ 6092] Package Name: NTLM
03/20/2023 07:49:00 [ 6092] AcceptSecurityContext result = 0x00000000
03/20/2023 07:49:00 [ 6092] NTLM auth passed
03/20/2023 07:49:00 [ 6092] user:thrilok
03/20/2023 07:49:00 [ 6092] workstation:OXYGEN-KVM09
03/20/2023 07:49:00 [ 6092] Domain name not specified by user, try current domain:EXAMPLE.
03/20/2023 07:49:00 [ 6092] ldaplib::ldap_search_s, the number of entries: 1
03/20/2023 07:49:00 [ 6092] DN:CN=thrilok,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] found user CN=thrilok,CN=Users,DC=example,DC=com in the directory, checking group membership...
03/20/2023 07:49:00 [ 6092] member:CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Domain Admins,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Enterprise Admins,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Schema Admins,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Remote Desktop Users,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Administrators,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] primarygroupID:S-1-5-21-1137974602-3057445812-1867554962-513
03/20/2023 07:49:00 [ 6092] ldaplib::ldap_search_s, the number of entries: 1
03/20/2023 07:49:00 [ 6092] DN:CN=Domain Users,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Domain Users,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Users,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Administrators,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Remote Desktop Users,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Schema Admins,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Enterprise Admins,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Administrators,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Domain Admins,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Administrators,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] member:CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Users,CN=Builtin,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] check member for group: CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] lookup group info for EXAMPLE\thrilok from DC=example,DC=com
03/20/2023 07:49:00 [ 6092] LDAP server not set for domain: EXAMPLE:DC=example,DC=com.
03/20/2023 07:49:00 [ 6092] ad_user_get_groups_str2_s():CN=thrilok,CN=Users,DC=example,DC=com+CN=Users,DC=example,DC=com+CN=Domain Users,CN=Users,DC=example,DC=com+CN=Administrators,CN=Builtin,DC=example,DC=com+CN=Remote Desktop Users,CN=Builtin,DC=example,DC=com+CN=Schema Admins,CN=Users,DC=example,DC=com+CN=Enterprise Admins,CN=Users,DC=example,DC=com+CN=Domain Admins,CN=Users,DC=example,DC=com+CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com+CN=Users,CN=Builtin,DC=example,DC=com+CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] all groups:CN=thrilok,CN=Users,DC=example,DC=com+CN=Users,DC=example,DC=com+CN=Domain Users,CN=Users,DC=example,DC=com+CN=Administrators,CN=Builtin,DC=example,DC=com+CN=Remote Desktop Users,CN=Builtin,DC=example,DC=com+CN=Schema Admins,CN=Users,DC=example,DC=com+CN=Enterprise Admins,CN=Users,DC=example,DC=com+CN=Domain Admins,CN=Users,DC=example,DC=com+CN=Group Policy Creator Owners,CN=Users,DC=example,DC=com+CN=Users,CN=Builtin,DC=example,DC=com+CN=Denied RODC Password Replication Group,CN=Users,DC=example,DC=com
03/20/2023 07:49:00 [ 6092] sent groups:CN=thrilok,CN=Users,DC=example,DC=com+CN=Domain Users,CN=Users,DC=example,DC=com+CN=Users,CN=Builtin,DC=example,DC=com <<<<<< Agent found the above groups which the user is matching based on LDAP query
03/20/2023 07:49:00 [ 6092] send NTLM_RESULT_MSG, len:176 count:5 <----- NTLM result message is send to firewall.
03/20/2023 07:49:00 [ 6092] send_to_FGT() called:sock:1688 sendbuf:ba192940 sendlen:176
In case groups are not matching properly in the FSSO agent as well, it is necessary to verify the groups which are the user part of at the AD end.
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.