Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tk34
New Contributor

NTLM when FSSO hasn't authenticated that user

I've been google searching for two days now read through quite a few Fortinet how-to's. I can't seem to find my answer.

 

Is the only way to get the fortigate user authentication screen to appear, for those that use a mac, linux, or Non-AD PC, and fsso hasn't authenticated; by using the explicit proxy?

 

I've gone to the cli and enabled NTLM on the policy rule. FSSO is working perfectly however.

 

My bigger problem is, as a company we use firefox.  This would mean I have to manually set the proxy on each machine as it is NOT set to use the system proxy.

 

100D with 5.2.4.

Fortigate 100D 5.6

9 REPLIES 9
FortiAdam
Contributor II

I have accomplished this in the past by creating an authentication policy that references a LDAP group and put it under my FSSO policy.  

tk34
New Contributor

FortiAdam wrote:

I have accomplished this in the past by creating an authentication policy that references a LDAP group and put it under my FSSO policy.  

I have that, if i set source users to the FSSO group, on my outbound wan1 policy, it will let authenticated users (by FSSO) out. Those who aren't on a machine that authenticates to AD it doesn't let out. It just stops them with an untrusted certificate warning. Firefox and Chrome will not let them add an exception as it would normally do. It just says the site is untrusted.

 

So maybe I am missing a step to get the authentication working.

Fortigate 100D 5.6

FortiAdam
Contributor II

Hmm can you try accessing a non-HTTPS to force authentication and see what happens?  

 

FortiOS 5 definitely has some issues with showing block or authentication pages over HTTPS.  They claim to have addressed this in 5.2.

 

What OS are you running?

tk34
New Contributor

FortiAdam wrote:

Hmm can you try accessing a non-HTTPS to force authentication and see what happens?  

 

FortiOS 5 definitely has some issues with showing block or authentication pages over HTTPS.  They claim to have addressed this in 5.2.

 

What OS are you running?

5.2.4, see screen shot. 

 

For a Non-HTTPS just spins until there is a connection time out. No Login page from the 100D. 

 

So just so we're clear:

IPv4 Policy with an FSSO group listed as source user. SSL Cerficate inspection enabled. FSSO is working as I can look at the monitor and see all of the users from AD being listed as authenticated.  I can also enable the source user to be only the initial group (all the employees minus myself) and they can still access the internet, however I cannot. So i would assume i would get the login box to put in my domain\username and password to authenticate. 

Fortigate 100D 5.6

FortiAdam
Contributor II

Do you have two outgoing authentication policies?  One for FSSO and one for LDAP?

tk34
New Contributor

FortiAdam wrote:

Do you have two outgoing authentication policies?  One for FSSO and one for LDAP?

Under Single-Sign On I have 1 entry, using the 1 LDAP connection i have setup.  That SSO entry is using polling. On my DC I have the collector running. 

 

Under User Groups I have 1 group I defined: Filtered.  This contains all of the security groups I use, which means every person in the company.  

 

I have this group setup as the source user on both my outbound policies.  Meaning a linux desktop to me, should in someway be able to authenticate to the fw for outbound web access. 

 

I have been a little confused how fortigate really wants this setup.  Do you need an LDAP polling entry AND the collector running on the DC? Dunno. 

I attached the 

Also, I do very much appreciate your help. 

Fortigate 100D 5.6

tk34
New Contributor

FortiAdam wrote:

Do you have two outgoing authentication policies?  One for FSSO and one for LDAP?

So i finally got the firewall to prompt someone to authenticate that wasn't FSSO authenticated.  I had to add LDAP users as users's to the firewall. 

 

however, the test user i created wouldn't authenticate.  I tried the username, domain\username, username@domain... nothing worked. 

 

The one thing i didn't try was ensuring NTLM was enabled on the 4 outgoing policies (each wan I have two policies one for regular users and one for users that need more freedom)

 

I'll try that as I forgot to enable it on the other policies. 

Fortigate 100D 5.6

tk34
New Contributor

FortiAdam wrote:

Do you have two outgoing authentication policies?  One for FSSO and one for LDAP?

So i finally got the firewall to prompt someone to authenticate that wasn't FSSO authenticated.  I had to add LDAP users as users's to the firewall. 

 

however, the test user i created wouldn't authenticate.  I tried the username, domain\username, username@domain... nothing worked. 

 

The one thing i didn't try was ensuring NTLM was enabled on the 4 outgoing policies (each wan I have two policies one for regular users and one for users that need more freedom)

 

I'll try that as I forgot to enable it on the other policies. 

Fortigate 100D 5.6

tk34
New Contributor

I added NTLM to each policy ID. 

 

On one instance I was able to get a pop-up window, i entered a username and password and then it tried to take me to forgigate authentication page again.  The username and password were not accepted. 

 

Since then and playing, if i create a user from an AD user and then specify that user on a policy, i can get a fortigate authentication page.  However the username & password are never accepted. Anyone know why?

Fortigate 100D 5.6