Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Only FSSO Agent Authentication working - Issues with NTLM and LDAP

I am having a major headache with our 500D (Formware 5.6.5) and I’m sure it’s some fundamental setting I am missing.


FSSO configured on the Fortigate and FSSO user group pointing to AD user group for internet access. IPv4 Policy setup as follows…..  Source: all+ FSSO Group above and…..  Dest: all     <--  This is working fine, logging IP and AD users!


I have been trying for some time to get an alternative method of authentication to help none domain devices and Apple Macs to get internet access. We just need a pop up box, or web authentication to verify an account to AD. 


So far I have tried;


NTLM authentication via an IPv4 policy (ntlm enabled via CLi) – no pop up box appears. Just fails with a page not found. Without the FSSO or LDAP user group tagged on the rule – the device gets internet.


NTLM, FSSO group and LDAP all tired using both a Transparent and Explicit proxy rules. Again the proxy policies both work fine without user groups - but when they are added I get “Access Denied – The page you requested has been blocked by a firewall policy restriction”

I followed Cookbook recipes such as this one for the above. 


I don’t mind if the device gets a pop up login box, or a web authentication box, but as soon as I introduce a user group, the policy fails.

Am I missing some global setting to allow these other methods of authentication? 


Help would be greatly appreciated.


Thank you for reading.

New Contributor

Hi guys,


  Have a same situation with the same firmware.

Please help.


NTLM Enabled on the FSSO Collector NTLM Enabled on the Policy FSSO Working aprop



Alfonso Pereira.


Hi Alfonso, 


Hope this helps, I ended up raising a ticket with their support. This was their reply. It worked for me. 


Really hope it helps



- You will need to change the groups to the FSSO groups you set up in the firewall proxy policy

- Please add the following authentication schemes :


config authentication scheme

edit "NTLM"

set method ntlm




config authentication rule

edit "NTLM-RULE"

set srcaddr "all"

set ip-based disable

set active-auth-method "NTLM"




- Set the active-auth-scheme to "NTLM"




New Contributor

Sorry I have to respond on an old topic. What do you mean with "You will need to change the groups to the FSSO groups you set up in the firewall proxy policy" ?


And how do you set the active-auth-scheme to "NTLM" ?

Top Kudoed Authors