I am working on FortiOS 5.2.3 ( latest one) and have configured SSO on it . Now I wanted computers which are not a part of domain to be prompted for a user/pass login page when they try to access the internet. For this I configured "set ntlm enable" and "set ntlm-guest enable" command under the firewall policy .
When I try to access the internet a popup will show up asking for user/pass , once I put the domain user pass it will get auehtnciated and internet will work. In fortigate user section that user will also show up as NTLM based authentication.
THe only problem here is that I want to avoid the popup and want that fortigate login page instead. I thought this might be some browser problem so i tried IE , chrome and firefox and on all same thing comes up and not a login page.
Please guide how to get the login page instead of the popup
I'm afraid that NTLM will always cause web browser to trigger login pop-up window and not a web form.
If you want to have customized form based authentication page (ala standard web page with login form), then the only way is explicit proxy and its policy, with IP based you would be able to choose primary auth method (pasive) as FSSO, and secondary (active authentication which does require user interaction) as Form based, and then you can customize replacement messages to tune-up login form.
Note that explicit proxy does slow down the overall throughput, as it's proxy. So form based logon possibility has its price.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
xsilver wrote:can you please share config for thisI'm afraid that NTLM will always cause web browser to trigger login pop-up window and not a web form.
If you want to have customized form based authentication page (ala standard web page with login form), then the only way is explicit proxy and its policy, with IP based you would be able to choose primary auth method (pasive) as FSSO, and secondary (active authentication which does require user interaction) as Form based, and then you can customize replacement messages to tune-up login form.
Note that explicit proxy does slow down the overall throughput, as it's proxy. So form based logon possibility has its price.
If you are asking for config of explicit proxy then there is nothing special, just standard config gives you those opportunities, check FortiGate GUI for explicit proxy firewall policy or docs.fortinet.com site for guides.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
xsilver wrote:If you are asking for config of explicit proxy then there is nothing special, just standard config gives you those opportunities, check FortiGate GUI for explicit proxy firewall policy or docs.fortinet.com site for guides.
Hi xsilver,
I have setup my fortigate as indicated with form based auth as secondary. When I try login with local or AD credentials using the form based auth i get "Firewall authentication failed. Please try again." error. Wjat could be the issue?
A user who has authenticated with AD on workstation is able to access the internet through the proxy.
I hope that this answer still can help you!!!!
Look the link bellow.
https://www.linkedin.com/grp/post/1769457-5919733185838600193
Regards,
Claudio
NTLM is never a loginpage...it is send from the client so it will always this popup.
But dont ask me how to get the Login page...i will use/test this only in the near future (never used it before) ;)
When I dealt with NTLM way in the past, it only passed through with IE. Other browsers presented a web dialogue due to the lack of Active X, I believe...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Chrome should understand NTLM by default
Firefox has to be configured for NTLM (have a look at about:config + search for ntlm)
This is not cause of the lack of any active x stuff
Guys, if you still have specific config issues like Ed mentioned, I thing the best way is to open trouble ticket on Fortinet Support or first check KB, Coockbooks or guides on docs.fortinet.com. There is almost certainty that someone solved the similar or very same issue before. Without debug and configs is this debate just academic.
Regarding NTLM and browsers behavior ..
MSIE is used to send NTLM automatic response to 401 Authenticate NTLM request if it originates from local subnet and block all others if not configured otherwise.
Other browsers like FireFox (surely) and Chrome (not-so sure) has to be configured explicitly to allow and process NTLM for trusted request sources. Otherwise they do not respond and pop-up a logon page.
Therefore with automatic response to NTLM request this method could be transparent authentication, regardless it is still active authentication requiring user/client-computer active participation in auth process.
If you are looking for passive, 100% transparent method then check FSSO, for which an explicit proxy has to be switched from session based to IP based auth mode (CLI).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.