Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Use Integrated Login Active Directory

Hello, I have set up different user groups and authentication via Active Directory but the users have to type in their name and password even though they are already authenticated in the AD via the windows logon. is there the possibilty to prevent the login query from Fortigate when accessing the internet? Of course it works without authentication but then I do not have different user groups. Thanks in advance, Alex
5 REPLIES 5
UkWizard
New Contributor

The web authentication feature is a freebie which is very VERY basic. Therefore no, you cannot do transparent authentication. To do that you need a proxy server that supports NTLM authentication. I would recommend this, as it also reduces the traffic bandwidth used, thanks to the caching. If you dont want to pay for one, try freeproxy. This supports it, although in a strange manner, but it works.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Not applicable

Thanks for the quick reply. But could you sketch how the proxy helps with Fortigate authentication if I want users to have different FortiGuard Profiles. Does the proxy contact the FortiGate on different TCP ports depending on authenticated AD usergroup profiles onto which I could assign different FortiGuard profiles? I do have a Fortigate 50A. Thanks, Alex
UkWizard
New Contributor

Ahh, you didnt mention fortiguard earlier. This wouldnt be possible, sorry. But you could restrict access on the proxy itself. I was suggesting using the proxy to control access, then disabling auth on the fortinet altogether. So therefore the fortiguard rules would be the same for everyone. Sorry. If you were a company with this kind of requirement, i would have recommended a decent proxy which supports URL filtering as well. Freeproxy however, support url filtering by entering them in, not by catagories.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Not applicable

Ok then the users will have to type passwords. I think they are registered in cookies anyway so they will not have to type each time. Background is that I, in the role of the administrator could not download from microsoft because the site was categorized under sports. Just one other question, there is no opportunity to have a restricted access without any password and having to type in a PW only for the less restricted access. I will try to use a local user without pw if possible so in case the cookie gets deleted they only have to hit enter. I do not really see the point of AD access if you still have to type in your username and PW. Even in scenarios with two or three different access profiles one could define three different local users and the user has the same effect of being hindered by another login box. But thanks again for your info, so I do not have to search for a solution in vain. Alex
UkWizard
New Contributor

The authentication is poor, as its only a gimmick feature on the fortinet. Its based on IP address, not cookies. So when a user authenticates, they are basically allowing from there IP they are using, until the " auth timeout" period is reached when the traffic is idle. After that idle " Auth timeout" , they have to reenter it again. And if they log out and someone else logs in within the timeout period, they will have the same access until it expires again when idle. You could also ' borrow' and authenticated users IP address to access the net within the timeout. This is a big problem if you use terminal services especially, as many users come from one address. As you can see, its a gimmick feature.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Top Kudoed Authors