Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezendecs
New Contributor

FSSO and NTLM

Hi, about FSSO and NTLM

 

I read that when NTLM is enabled it will be used if Collector Agent cannot comunicate with Active Directory. I want to know if in a normal situation where the comunication between Collector Agente and Active Directory is ok, but the Fortigate don't identify the a user authentication by FSSO standard mode, the Fortigate will try authenticate that user by NTLM? In other words NTLM will serve like a backup for FSSO standard mode in case of specif user failure authentication?

 

 

Regards, Claudio Rezende

Claudio Rezende
Claudio Rezende
9 REPLIES 9
iJake
Contributor

Are you using this as an explicit proxy or IPv4 policy?

......

-Jake

...... -Jake
rezendecs
New Contributor

Hi, 

 

  IPV4 Policy!

 

 

Regards,

Claudio

Claudio Rezende
Claudio Rezende
xsilver_FTNT
Staff
Staff

@rezendecs .. iJake is asking because for example you can switch explicit proxy policy to IP based authentication (default is session based) and then you can choose :

- primary (passive) authentication method (in GUI as "Single Sign-On Method") as FSSO or RSSO, so if FGT has the user known through either method and processed traffic source IP matches one of allowed users and user groups used in policy, then the traffic is allowed to pass through without need for user interaction (that's why it's called passive authentication).

- secondary (active, and in GUI as "Default Authentication Method")  you can choose Basic/Digest/NTLM/Form so user will be prompted for interactive authentication (unless NTLM is used and user's web browser set to automatically provide credentials). If NTLM is chosen then Collector Agent is used to help FGT process the request and verify the user on DC.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

iJake
Contributor

You can set NLTM as a fallback for FSSO in IPv4 by enabling it on the rule in the command line. You'll need to make sure the policy has an FSSO user group assigned to it.

 

config firewall policy

edit (policy number)

set ntlm enable

end

 

As above, explicit proxy would need to be set to IP based auth, and select NTLM as a secondary authentication method.

......

-Jake

...... -Jake
rezendecs
New Contributor

Hi iJake,

 

   If I enable the ntlm inside de policy, ntlm will be only used in case of total failure communication between Collector Agent and the AD or it can be used in case of a unauthenticated user, even if communication between Collector Agent and AD is ok.

   I ask this because I have FSSO solution implemented, but some times I get problems with unauthenticated user. The idea is guarantee access to user even if a problem of logon information happen between Collector Agent and AD.

 

Regards,

Claudio

Claudio Rezende
Claudio Rezende
iJake
Contributor

This is just if the AD is unreachable. 

 

I don't know about NTLM as a back up, but you might be able to take advantage of the implicit fall through Dave Hall mentioned in another thread. Here's an extract from the 5.2 admin guide he found.

......

-Jake

...... -Jake
rezendecs
New Contributor

What is the page of admin guide?   The image is so small, I can't read.

 

Thanks!!!

Claudio Rezende
Claudio Rezende
dieter

I know it's an old thread, but I'm looking for the same thing.

 

iJake probably refered to this [link]https://forum.fortinet.com/tm.aspx?m=121075[/link]

Aghiles
New Contributor

Hi,

 

I have the same problème, is there any solution with fortios 6.2 version ?

 

Best regards

Labels
Top Kudoed Authors