LDAP / NTLM authentication with explicit proxy

James_G · ‎09-10-2018

Does anyone have a simple guide to setting up LDAP / NTLM authentication with explicit proxy, without agents or DC polling, using per session HTTP authentication as documented here: https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-WAN-opt/web_proxy.htm

PS this unit is running FortiOS 6.0.2

In my mind should be simple - but I'm struggling on this one :(

James_G · ‎09-10-2018

What I am trying to achieve is as documented here - http://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-authentication/FSAE.htm

All I need is NTLM auth to explicit proxy, no other SSO

Agentless NTLM support

Agentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller via SMB protocol (no agent is required).

Note that this authentication method is only supported for proxy policies.

Syntax

Note that domain-controller is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

config authentication scheme

edit <name>

set method ntlm

set domain-controller <dc-setting>

config user domain-controller

edit <name>

set ip-address <dc-ip>

set port <port> - default = 445

set domain-name <dns-name>

set ldap-server <name>

blackhole_route · ‎10-13-2018

Yes - I do have this working and can reference my configs to get all the details if you are still having trouble with this.

IIRC, you also need to define authentication rules to select the auth scheme and backend domain controller for the traffic. And then ldap to query for group memberships after the user authenticates via ntlm.

LDAP / NTLM authentication with explicit proxy

Nominate a Forum Post for Knowledge Article Creation

Agentless NTLM support

Syntax

You are leaving our website