Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

NTLM enabled policy not prompting for login credentials



Fortigate 500D Firmware 5.6.5

We have an AD network with the FSSO Collector monitoring DCs (Agent mode)

FSSO configured on the FTG and FSSO user group pointing to AD user group for internet access.

IPv4 Policy setup Source: all+ FSSO Group above, Dest: all - this is working fine. Users get internet access, and appear in the Logs. 


We also have some Macs which we want to authenticate through the browsers, so via the CLI, I've enabled "ntlm" "ntlm-guest" and "ntlm-enable-browsers" on the above policy, but no login prompt is appearing on any browsers, no matter what I try. The Macs IP just hits the DENY rule on the logs. I've tried with a non domain windows PC too - same issue. 


Have I configured something wrong? Am I missing something? - been scratching my head over this for a couple of days now, any help would be appreciated. 


Thanks for reading.

New Contributor

Hi Rob 


On CLI where do you enable the ntlm, is it under authentication scheme or where?


I don't know the case of Ipv4 policy, but I deployed the proxy authentication on v6.0.2 and for browser-based authentication, you have to disable IP-based command in the authentication rule.


i.e config authentication rule

                  set ip-based disbale


in this way, after defining the proxy policy you will get the browser-based authentication and you get the prompt for user credential.




Hi, and thank you for replying. 


I've enabled ntlm on the firewall policy (config firewall policy) 


I'm still not 100% clear as to if what I am trying to do is possible on the IPv4 rules 






As your concern is browser-based authentication, so it can full-fill using setup the Explicit web proxy feature. 


Ready the proxy setup and configs on the CLI using authentication rules, scheme and setting and then add the proxy on a browser and in the authentication scheme use the ntlm method and disable ip-based in authentication rule.


you'll get the prompt and it will browser based so after closing and re-opening browser you'll get the prompt again.


Hi again,


Is there no way to do this without configuring a proxy server on each of the workstations browsers? This is something we definitely wanted to avoid. 


Thanks again




You can push the proxy setting on the AD-Machines using the GPO too.


Or you can integrate your macs with the AD then you can also control the traffic by macs using SSO.


For the ipv4 policies, I don't know, may b they have a method for it too. 

New Contributor

I tried and it works


just re-create authentication-rules and authentication-scheme then the problem will be resolved..


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors