Hot!FSSO and NTLM

Author
rezendecs
Bronze Member
  • Total Posts : 24
  • Scores: -2
  • Reward points: 0
  • Joined: 2013/10/23 04:31:39
  • Status: offline
2015/03/05 05:10:42 (permalink) 5.2
0

FSSO and NTLM

Hi, about FSSO and NTLM
 
I read that when NTLM is enabled it will be used if Collector Agent cannot comunicate with Active Directory.
I want to know if in a normal situation where the comunication between Collector Agente and Active Directory is ok, but the Fortigate don't identify the a user authentication by FSSO standard mode, the Fortigate will try authenticate that user by NTLM?
In other words NTLM will serve like a backup for FSSO standard mode in case of specif user failure authentication?
 
 
Regards,
Claudio Rezende
#1

9 Replies Related Threads

    iJake
    Bronze Member
    • Total Posts : 45
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/01/30 06:11:14
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 05:46:44 (permalink)
    0
    Are you using this as an explicit proxy or IPv4 policy?
    #2
    rezendecs
    Bronze Member
    • Total Posts : 24
    • Scores: -2
    • Reward points: 0
    • Joined: 2013/10/23 04:31:39
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 06:08:19 (permalink)
    0
    Hi, 
     
      IPV4 Policy!
     
     
    Regards,
    Claudio
    #3
    xsilver_FTNT
    Expert Member
    • Total Posts : 429
    • Scores: 91
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 06:13:21 (permalink)
    0
    @rezendecs .. iJake is asking because for example you can switch explicit proxy policy to IP based authentication (default is session based) and then you can choose :
    - primary (passive) authentication method (in GUI as "Single Sign-On Method") as FSSO or RSSO, so if FGT has the user known through either method and processed traffic source IP matches one of allowed users and user groups used in policy, then the traffic is allowed to pass through without need for user interaction (that's why it's called passive authentication).
    - secondary (active, and in GUI as "Default Authentication Method")  you can choose Basic/Digest/NTLM/Form so user will be prompted for interactive authentication (unless NTLM is used and user's web browser set to automatically provide credentials). If NTLM is chosen then Collector Agent is used to help FGT process the request and verify the user on DC.
    #4
    iJake
    Bronze Member
    • Total Posts : 45
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/01/30 06:11:14
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 06:23:54 (permalink)
    0
    You can set NLTM as a fallback for FSSO in IPv4 by enabling it on the rule in the command line. You'll need to make sure the policy has an FSSO user group assigned to it.
     
    config firewall policy
    edit (policy number)
    set ntlm enable
    end
     
    As above, explicit proxy would need to be set to IP based auth, and select NTLM as a secondary authentication method.
    post edited by iJake - 2015/03/05 06:29:14
    #5
    rezendecs
    Bronze Member
    • Total Posts : 24
    • Scores: -2
    • Reward points: 0
    • Joined: 2013/10/23 04:31:39
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 06:39:53 (permalink)
    0
    Hi iJake,
     
       If I enable the ntlm inside de policy, ntlm will be only used in case of total failure communication between Collector Agent and the AD or it can be used in case of a unauthenticated user, even if communication between Collector Agent and AD is ok.
       I ask this because I have FSSO solution implemented, but some times I get problems with unauthenticated user. The idea is guarantee access to user even if a problem of logon information happen between Collector Agent and AD.
     
    Regards,
    Claudio
    #6
    iJake
    Bronze Member
    • Total Posts : 45
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/01/30 06:11:14
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 09:31:57 (permalink)
    0
    This is just if the AD is unreachable. 
     
    I don't know about NTLM as a back up, but you might be able to take advantage of the implicit fall through Dave Hall mentioned in another thread. Here's an extract from the 5.2 admin guide he found.

    Attached Image(s)

    #7
    rezendecs
    Bronze Member
    • Total Posts : 24
    • Scores: -2
    • Reward points: 0
    • Joined: 2013/10/23 04:31:39
    • Status: offline
    Re: FSSO and NTLM 2015/03/05 10:25:59 (permalink)
    0
    What is the page of admin guide?   The image is so small, I can't read.
     
    Thanks!!!
    #8
    dieter
    Bronze Member
    • Total Posts : 21
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/04 06:04:13
    • Status: offline
    Re: FSSO and NTLM 2018/09/06 01:51:45 (permalink)
    0
    I know it's an old thread, but I'm looking for the same thing.
     
    iJake probably refered to this https://forum.fortinet.com/tm.aspx?m=121075
    #9
    Aghiles
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/30 02:21:13
    • Status: offline
    Re: FSSO and NTLM 2019/07/12 08:43:53 (permalink)
    0
    Hi,
     
    I have the same problème, is there any solution with fortios 6.2 version ?
     
    Best regards
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5