Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

NTLM Authentication

This is a cross post


Currently the FGT is setup with LDAP and I'm able to add admin users to the firewall for authentication for management.  Is there a way, if for example the FGT is, to have end users go to and sign in with their credentials on the FGT in tab 1 of their browser, and then launch tabs 2-5 for instance and the authentication credentials from tab 1 carry over?  So users don't have to authenticate for every website they visit.  I know about FSSO but that's not an option at this point (5 computers all logged in as admin but with 5 different users actively using the computers so it needs to be based on the person who's launching the browser).  I was thinking of enabling NTLM fallback for authentication on all the outbound policies but not sure that correct solution.  Also, how deep would nested groups be supported in this scenario?



not quite sure I do understand the concept of having multiple tabs in same browser and each tab has same user logged in.

But, in general you can have IP based authentication, like FSSO, where whole computer/guest is identified by its' IP and seen logged on user. Source for such (F)SSO data could be domain logon, Syslog/RADIUS Accounting messages, DC Agents, or in case your "computer" is Terminal Server with many users and RDP instances then TS Agent ..  multiple possibilities how to gain logon data. One result -> user and his group membership defining access rights provided with IP address(-es, up to 4) to FortiGate (FGT), which then govern the access accordingly. In this case I would suggest to use standalone Collector Agent on DC/DomainMachine, instead of direct FSSO polling from FGT.
That Collector Agent gather logon data and provide completed data to FGT. And is free of charge.
Next level, much more scalable and advanced (and not just FSSO collector) is FortiAuthenticator, but that's enterprise level paid solution.

Oh, hint - Nested groups are supported in FSSO standalone Collector Agent in so called "Advanced" (not Standard) mode. As those refer to group name format in LDAP (Advanced) which does support nested grouping, or MSFT (Standard) which does not nest at all.

BTW: FortiOS on it's own does support LDAP with nested groups since version 5.6 (settings needed).


Depth .. not quite sure at the moment, but I would not hesitate to call anything more then ~15-20 levels deep a madness :p


Alternative option to IP based authentication is session-based. Like Kerberos (generally "Negotiate" which actually contain both Kerberos and NTLM tokens as possible fallback, Workstation is choosing which one will be used). Possible directly, also as IP based or session-based. Here in Knowledge Base section is plenty of articles on Kerberos and how-to use it for example with "Explicit Proxy".

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors