Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎09-20-2022 08:14 AM Edited on ‎03-20-2025 06:42 AM By Moderator

Article Id 221620

Technical Tip: Agentless NTLM in Explicit Proxy

Description This article describes how NTLM credentials are validated, and further explains how NTLM works with FortiProxy.
Scope Agentless NTLM Authentication
Solution
  1. Refer to the guideline for Agentless NTLM configuration:

Configuration examples

NTLM authentication

 

  1. Bear in mind that when 'test user credentials' in LDAP Server configuration is performed, the FortiProxy will send an LDAP search and LDAP bind for the particular user account. This test does not test the NTLM authentication.

Samples of LDAP packets when performing 'test user credentials' in LDAP Server configuration. The user account is test1.

 

duenlim_0-1661305111872.png

 

Note: In the above example, the packet Proxy IP is 10.176.2.91 and the LDAP Server IP is 10.176.1.12.

 

  1. Run the debugging to verify the NTLM authentication or packet capture.

 

diagnose wad debug enable category auth
diagnose wad debug enable category policy
diagnose wad debug enable level info
diagnose wad debug show
diagnose wad filter src x.x.x.x  {Client IP address}

 

To stop the debug:

 

diagnose debug disable

diagnose debug reset

 

Example debug outputs:


[I][p:1001][s:198724478][r:173550] wad_auth_get_dc_server :240 select server ip:10.176.1.12
[I][p:1001] wad_ntlm_authenticate :303 try agentless NTLM authentication
[I][p:1001] wad_http_auth_status_proc :10221 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=pending
[I][p:1001] wad_fw_policy_async_match :5117 pol_ctx:xhf|Ad|7|=p
[I][p:1001] wad_http_req_check_policy :11489 match policy vd=0 out_if=5 10.176.2.144:50526 -> 23.14.198.78:80
[I][p:1001] wad_hauth_ntlm_smb_notify :135 agentless NTLM authentication challenge: domain(msg2)=''
[I][p:1001] wad_hauth_ntlm_smb_notify :164 agentless NTLM authentication sucessfully <User_Name>:usr_node:(nil) domain(msg3)=''
[I][p:1001] wad_http_auth_update_user_ext2 :2859 updating user. ip: 10.176.2.144, type:IP
[I][p:1001] wad_usr_collect_usrgrp :1864 Match grp(<Group_Name>): SUCCESS
[I][p:1001] wad_auth_membership_match :1274 grp(ff): id=4 type=firewall member_sz=1; user(<User_Name>): type=firewall

 

The samples packets that collected whilst accessed to http://www.example.com contains the NTLM Message type 1, type 2 and type 3.
Client IP 10.176.2.173 | Explicit Proxy 10.176.2.91:11980 | Windows domain controller and LDAP 10.172.1.12

 

Source Src Port Destination Dst Port Protocol Length Info
10.176.2.173 56880 10.176.2.91 11980 HTTP 538 GET http://www.example.com/ HTTP/1.1
10.176.2.91 11980 10.176.2.173 56880 HTTP 5222 HTTP/1.1 407 Proxy authentication required (text/html)

 

10.176.2.173 56880 10.176.2.91 11980 HTTP 1130 GET http://www.example.com/ HTTP/1.1 , NTLMSSP_AUTH, User: \test2

 

10.176.2.91 47618 10.176.1.12 445 SMB2 596 Session Setup Request, NTLMSSP_AUTH, User: \test2
10.176.1.12 445 10.176.2.91 47618 SMB2 151 Session Setup Respons -> accept-completed

 

10.176.2.91 40064 10.176.1.12 389 LDAP 344 searchRequest(2) "cn=users,dc=mk1,dc=com" wholeSubtree
10.176.1.12 389 10.176.2.91 40064 LDAP 423 searchResEntry(2) "CN=test2,CN=Users,DC=mk1,DC=com"
10.176.1.12 389 10.176.2.91 40066 LDAP 88 bindResponse(1) success

 

10.176.2.91 11980 10.176.2.173 56880 HTTP 1076 HTTP/1.1 200 OK (text/html)
Labels:
1254
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.