Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎09-20-2022 08:14 AM

Article Id 221620

Technical Tip: Agentless NTLM in Explicit Proxy

Description This article describes how NTLM credentials are validated, and further explain how NTLM works with FortiProxy
Scope Agentless NTLM Authentication
Solution

1) Refer to the guideline for Agentless NTLM configuration

 

https://docs.fortinet.com/document/fortiproxy/2.0.2/fortiproxy-authentication-guide/314108/configura...

 

https://docs.fortinet.com/document/fortiproxy/2.0.2/fortiproxy-authentication-guide/20531/authentica...

 

2) Bear in mind that when 'test user credentials' in LDAP Server configuration is performed, the FortiProxy will send a LDAP search and LDAP bind for the particular user account. This test does not test the NTLM authentication.

 

Samples of LDAP packets when performs 'test user credentials' in LDAP Server configuration. The user account is test1.

 

duenlim_0-1661305111872.png

 

Note: Above example packet Proxy IP is 10.176.2.91 and LDAP Server IP is 10.176.1.12

 

3) Run the debugging to verify the NTLM authentication or packet capture

 

# diagnose wad debug enable category auth
# diagnose wad debug enable category policy
# diagnose wad debug enable level info
# diagnose wad debug show
# diagnose wad filter src x.x.x.x  {Client IP address}

 

Example debug outputs:


[I][p:1001][s:198724478][r:173550] wad_auth_get_dc_server :240 select server ip:10.176.1.12
[I][p:1001] wad_ntlm_authenticate :303 try agentless NTLM authentication
[I][p:1001] wad_http_auth_status_proc :10221 ses_ctx: ses_ctx:cx|Phx|Me|Hh|C|A7|O authenticate result=pending
[I][p:1001] wad_fw_policy_async_match :5117 pol_ctx:xhf|Ad|7|=p
[I][p:1001] wad_http_req_check_policy :11489 match policy vd=0 out_if=5 10.176.2.144:50526 -> 23.14.198.78:80
[I][p:1001] wad_hauth_ntlm_smb_notify :135 agentless NTLM authentication challenge: domain(msg2)=''
[I][p:1001] wad_hauth_ntlm_smb_notify :164 agentless NTLM authentication sucessfully <User_Name>:usr_node:(nil) domain(msg3)=''
[I][p:1001] wad_http_auth_update_user_ext2 :2859 updating user. ip: 10.176.2.144, type:IP
[I][p:1001] wad_usr_collect_usrgrp :1864 Match grp(<Group_Name>): SUCCESS
[I][p:1001] wad_auth_membership_match :1274 grp(ff): id=4 type=firewall member_sz=1; user(<User_Name>): type=firewall

 

The samples packets that collected whilst accessed to http://www.example.com contains the NTLM Message type 1, type 2 and type 3.
Client IP 10.176.2.173 | Explicit Proxy 10.176.2.91:11980 | Windows domain controller and LDAP 10.172.1.12

 

Source Src Port Destination Dst Port Protocol Length Info
10.176.2.173 56880 10.176.2.91 11980 HTTP 538 GET http://www.example.com/ HTTP/1.1
10.176.2.91 11980 10.176.2.173 56880 HTTP 5222 HTTP/1.1 407 Proxy authentication required (text/html)

 

10.176.2.173 56880 10.176.2.91 11980 HTTP 1130 GET http://www.example.com/ HTTP/1.1 , NTLMSSP_AUTH, User: \test2

 

10.176.2.91 47618 10.176.1.12 445 SMB2 596 Session Setup Request, NTLMSSP_AUTH, User: \test2
10.176.1.12 445 10.176.2.91 47618 SMB2 151 Session Setup Respons -> accept-completed

 

10.176.2.91 40064 10.176.1.12 389 LDAP 344 searchRequest(2) "cn=users,dc=mk1,dc=com" wholeSubtree
10.176.1.12 389 10.176.2.91 40064 LDAP 423 searchResEntry(2) "CN=test2,CN=Users,DC=mk1,DC=com"
10.176.1.12 389 10.176.2.91 40066 LDAP 88 bindResponse(1) success

 

10.176.2.91 11980 10.176.2.173 56880 HTTP 1076 HTTP/1.1 200 OK (text/html)
Labels:
802
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.