Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
brucemcd
New Contributor

Created on ‎04-28-2020 02:26 AM

Agentless NTLM proxy authentication LDAP

Hi,

I'm trying to set up agentless ntlm proxy authentication and I've run into a problem. The config appears correct, when testing ldap authentication in GUI and CLI, it works. In the CLI "diagnose test authserver ldap" returns group membership correctly from AD.

The only clue I've found anywhere why its failing when used as an explicit proxy is in "User Events" shows the attempts to authenticate, but the username listed appears to add a domain name so is trying to match a sAMAccountName of "username@domain.local". Does anyone have any idea where to look further on this? I've been through all the KB articles I can find and other posts here without any success.

 

The same LDAP connection works for admin users logging in. The issue appears to be getting group membership, below are snippets of "diagnose debug application fnbamd" showing it working for an admin login and not working for a login through explicit proxy.

 

[2254] handle_req-Rcvd auth req 1146087740 for brucemcd-admin in LDAP-Firewall-admins opt=00014001 prot=10 [406] __compose_group_list_from_req-Group 'LDAP-Firewall-admins' [614] fnbamd_pop3_start-brucemcd-admin [341] radius_start-Didn't find radius servers (0) [718] auth_tac_plus_start-Didn't find tac_plus servers (0) [1607] fnbamd_ldap_init-search filter is: sAMAccountName=brucemcd-admin [1616] fnbamd_ldap_init-search base is: DC=domain,DC=local [40] fnbamd_dns_resolv-DNS req 'DC1.domain.local' [50] fnbamd_dns_resolv-DNS req ipv6 'DC1.domain.local' [565] create_auth_session-Total 1 server(s) to try [208] fnbamd_dns_parse_resp-req 2075: 10.0.0.5 [991] __fnbamd_ldap_dns_cb-Resolved DC1.domain.local(idx 0) to 10.0.0.5 [1059] __fnbamd_ldap_dns_cb-Still connecting. [941] __ldap_connect-tcps_connect(10.0.0.5) is established. [815] __ldap_rxtx-state 3(Admin Binding) [204] __ldap_build_bind_req-Binding to 'DOMAIN\fortinet' [860] fnbamd_ldap_send-sending 56 bytes to 10.0.0.5 [872] fnbamd_ldap_send-Request is sent. ID 1 [154] fnbamd_dns_parse_resp-failed to find req-id=2075 [815] __ldap_rxtx-state 4(Admin Bind resp) [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 14 [1083] fnbamd_ldap_recv-Response len: 16, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind [799] fnbamd_ldap_parse_response-ret=0 [882] __ldap_rxtx-Change state to 'DN search' [815] __ldap_rxtx-state 11(DN search) [592] fnbamd_ldap_build_dn_search_req-base:'DC=domain,DC=local' filter:sAMAccountName=brucemcd-admin [860] fnbamd_ldap_send-sending 82 bytes to 10.0.0.5 [872] fnbamd_ldap_send-Request is sent. ID 2 [815] __ldap_rxtx-state 12(DN search resp) [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 85 [1083] fnbamd_ldap_recv-Response len: 87, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-entry [799] fnbamd_ldap_parse_response-ret=0 [1152] __fnbamd_ldap_dn_entry-Get DN 'CN=Bruce mcd admin,OU=N Users,OU=Special Users,DC=domain,DC=local' [91] ldap_dn_list_add-added CN=Bruce mcd admin,OU=N Users,OU=Special Users,DC=domain,DC=local [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 88 [1083] fnbamd_ldap_recv-Response len: 90, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference [799] fnbamd_ldap_parse_response-ret=0 [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 88 [1083] fnbamd_ldap_recv-Response len: 90, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference [799] fnbamd_ldap_parse_response-ret=0 [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 72 [1083] fnbamd_ldap_recv-Response len: 74, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-reference [799] fnbamd_ldap_parse_response-ret=0 [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 14 [1083] fnbamd_ldap_recv-Response len: 16, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result [799] fnbamd_ldap_parse_response-ret=0 [882] __ldap_rxtx-Change state to 'User Binding' [815] __ldap_rxtx-state 5(User Binding) [437] fnbamd_ldap_build_userbind_req-Trying DN 'CN=Bruce mcd admin,OU=Special Users,DC=domain,DC=local' [204] __ldap_build_bind_req-Binding to 'CN=Bruce mcd admin,OU=Special Users,DC=domain,DC=local' [860] fnbamd_ldap_send-sending 146 bytes to 10.0.0.5 [872] fnbamd_ldap_send-Request is sent. ID 3 [815] __ldap_rxtx-state 6(User Bind resp) [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 14 [1083] fnbamd_ldap_recv-Response len: 16, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:3, type:bind [799] fnbamd_ldap_parse_response-ret=0 [882] __ldap_rxtx-Change state to 'Attr query' [815] __ldap_rxtx-state 7(Attr query) [490] fnbamd_ldap_build_attr_search_req-Adding attr 'MemberOf' [502] fnbamd_ldap_build_attr_search_req-base:'CN=Bruce mcd admin,OU=N Users,OU=Special Users,DC=domain,DC=local' filter:cn=* [860] fnbamd_ldap_send-sending 148 bytes to 10.0.0.5 [872] fnbamd_ldap_send-Request is sent. ID 4 [815] __ldap_rxtx-state 8(Attr query resp) [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 2223 [1083] fnbamd_ldap_recv-Response len: 2225, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-entry [799] fnbamd_ldap_parse_response-ret=0 [503] __get_member_of_groups-Get the memberOf groups. [527] __get_member_of_groups- attr='MemberOf', found 32 values [91] ldap_dn_list_add-added CN=CentOSAdmins,CN=Users,DC=domain,DC=local [537] __get_member_of_groups-val[0]='CN=CentOSAdmins,CN=Users,DC=domain,DC=local' .... and many more groups

 

[2254] handle_req-Rcvd auth req 1146087739 for brucemcd@domain.local in opt=0002011b prot=10 [406] __compose_group_list_from_req-Group 'dc1.domain.local' [614] fnbamd_pop3_start-brucemcd@domain.local [1041] __fnbamd_cfg_get_ldap_list_by_server-Loading LDAP server 'dc1.domain.local' [1607] fnbamd_ldap_init-search filter is: (&(userPrincipalName=brucemcd@domain.local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) [1616] fnbamd_ldap_init-search base is: DC=domain,DC=local [40] fnbamd_dns_resolv-DNS req 'dc1.domain.local' [50] fnbamd_dns_resolv-DNS req ipv6 'dc1.domain.local' [565] create_auth_session-Total 1 server(s) to try [208] fnbamd_dns_parse_resp-req 2074: 10.0.0.5 [991] __fnbamd_ldap_dns_cb-Resolved dc1.domain.local(idx 0) to 10.0.0.5 [1059] __fnbamd_ldap_dns_cb-Still connecting. [154] fnbamd_dns_parse_resp-failed to find req-id=2074 [941] __ldap_connect-tcps_connect(10.0.0.5) is established. [815] __ldap_rxtx-state 3(Admin Binding) [204] __ldap_build_bind_req-Binding to 'DOMAIN\fortinet' [860] fnbamd_ldap_send-sending 56 bytes to 10.0.0.5 [872] fnbamd_ldap_send-Request is sent. ID 1 [815] __ldap_rxtx-state 4(Admin Bind resp) [903] __fnbamd_ldap_read-Read 8 [1009] fnbamd_ldap_recv-Leftover 2 [903] __fnbamd_ldap_read-Read 14 [1083] fnbamd_ldap_recv-Response len: 16, svr: 10.0.0.5 [764] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind [799] fnbamd_ldap_parse_response-ret=0 [882] __ldap_rxtx-Change state to 'DN search' [815] __ldap_rxtx-state 11(DN search) [592] fnbamd_ldap_build_dn_search_req-base:'DC=domain,DC=local' filter:(&(userPrincipalName=brucemcd@domain.local)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) [860] fnbamd_ldap_send-sending 156 bytes to 10.0.0.5 [872] fnbamd_ldap_send-Request is sent. ID 2 [815] __ldap_rxtx-state 12(DN search resp)

Labels:
2066
0 Kudos
0 REPLIES 0
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.