Hot!Fortiauthenticator settings for Windows Active Directory Domain Authentication

Author
AtiT
Platinum Member
  • Total Posts : 463
  • Scores: 40
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
2017/02/04 08:13:15 (permalink)
0

Fortiauthenticator settings for Windows Active Directory Domain Authentication

Hi,
I want to use the Fortiauthenticator for authenticate users from LDAP (remote users) with OTP and also use it for the WiFi username/password authentication.
When the user wants to authenticate via WiFi (FortiAP) i get an error on the Fortiauthenticator:
Remote LDAP user authentication(mschap) with no token failed: remote server supports pap only
 
According to the documentation the Windows Active Directory Domain Authentication should be enabled to authenticate users via Kerberos.
I tried to set up this in the lab but the Fortiauthenticator is not allowed to contact the Windows AD. The security logs shows Audit Failure:
Failure Reason: Unknown user name or bad password.
 
How to set up this scenario?
Shloud I create a Computer account for the Fortiauthenticator - if yes it should be member of domain controllers?
Can I use the administrator account or should I create another one with some special privileges?
 
The documentation is not clear for me.
Thank you for any help.

AtiT
--------------------
NSE 8, CCNP R+S
#1

3 Replies Related Threads

    ergotherego
    Gold Member
    • Total Posts : 129
    • Scores: 14
    • Reward points: 0
    • Status: offline
    Re: Fortiauthenticator settings for Windows Active Directory Domain Authentication 2017/02/09 18:52:45 (permalink)
    0
    "Can I use the administrator account or should I create another one with some special privileges?"
     
    Best to use a "service account" - one just for your FAC. It can have privileges to add new machines to the domain, and this can be limited to a few machine adds to prevent overuse.
     
    "Shloud I create a Computer account for the Fortiauthenticator"
     
    The AD account you use to join the FAC to the domain should have these permissions, then that will be done automatically. Otherwise you will need to create a new machine object manually.
     
    "if yes it should be member of domain controllers?"
     
    Definitely not. FAC won't "push" any changes to your domain. It just needs the ability to query the domain hierarchy.
    #2
    TKucera
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/06/19 02:57:07
    • Status: offline
    Re: Fortiauthenticator settings for Windows Active Directory Domain Authentication 2017/06/19 07:18:34 (permalink)
    0
    Tell me anybody what right that service accout need (exactly domain user or domain computer ?) ? In case I make object for computer manualy.
    #3
    sandytechie
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/19 06:22:14
    • Status: offline
    Re: Fortiauthenticator settings for Windows Active Directory Domain Authentication 2019/08/19 06:51:03 (permalink)
    0
    DID You get any solution we are facing the same issue.
     
    we are getting that the CANT CONNECT TO NETWORK error in our wifi, proper configuration is done 
     
    any solution
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5