Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
James_G
Contributor III

LDAP / NTLM authentication with explicit proxy

Does anyone have a simple guide to setting up LDAP / NTLM authentication with explicit proxy, without agents or DC polling, using per session HTTP authentication as documented here: https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-WAN-opt/web_proxy.htm

 

PS this unit is running FortiOS 6.0.2

 

In my mind should be simple - but I'm struggling on this one :(

2 REPLIES 2
James_G
Contributor III

What I am trying to achieve is as documented here - http://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-authentication/FSAE.htm

 

All I need is NTLM auth to explicit proxy, no other SSO

Agentless NTLM support

Agentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller via SMB protocol (no agent is required).

Note that this authentication method is only supported for proxy policies.

Syntax

Note that domain-controller is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

config authentication scheme

edit <name>

set method ntlm

set domain-controller <dc-setting>

next

end

 

config user domain-controller

edit <name>

set ip-address <dc-ip>

set port <port> - default = 445

set domain-name <dns-name>

set ldap-server <name>

next

end

blackhole_route

Yes - I do have this working and can reference my configs to get all the details if you are still having trouble with this.

IIRC, you also need to define authentication rules to select the auth scheme and backend domain controller for the traffic. And then ldap to query for group memberships after the user authenticates via ntlm.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors