Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PaulH
New Contributor

Can't authenticate with alternative domain UPN suffix on Fortiproxy

I recently added a UPN suffix to our domain and when a user logs into their workstation using the new UPN domain, e.g. user@domain.local, I can not get the Fortiproxy to authenticate the user. I have followed older write up on how to strip the domain suffix from the UPN, but I can't get it to work. 

 

I'm running v7.0.7, have configured Kerbose user, LDAP server and verified it can validate the user (without the UPN suffix) and it works, but I just can't seem to get the Fortiproxy to strip the UPN suffix off the user account automatically to authenticate them. I have tried everything from leaving the account-key-filter as the default when created to the existing userPrincipalName the image shows.

 

User event logs shows either User failed in authentication or User failed in group information query and I know it has to do with not stripping the UPN suffix but this is kicking my tail!!!!!

 

Any help would be greatly appreciated!!!

ldap config.png

 

PaulH
PaulH
1 REPLY 1
mturic
Staff
Staff

Hi Paul,

 

from what I see, I think you need to change your account-key-filter to filter to the sAMAccountName format. This would strip the domain suffixes from the UPN part, and would search only for your username as a sAMAccountName value.
The only prerequisite for this to work, however, is that your UPN without the domain suffix and sAMAccountName values are identical on your AD.

 

config user ldap

   edit xxxxxxx

     set account-key-processing strip

     set account-key-name "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

end

 

You can also check this KB for further reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Strip-domain-strings-from-a-UPN-in-Kerbero...

Labels
Top Kudoed Authors