Created on 11-17-2006 12:00 AM Edited on 01-30-2024 02:30 AM By Kate_M
Article
Description | Starting with MR3, FortiOS 3.0 supports integration with an Active Directory (AD) environment that employs NTLM messaging to provide authentication where the Fortinet Server Authentication Extension (FSAE) cannot be employed on all domain controllers. The controller agent must still be installed on at least one domain controller. |
Background |
The FSAE software is installed on each AD server and the FortiGate unit is configured to communicate with each FSAE client. When a user successfully logs into their Windows PC (and is authenticated by the AD Server), the FSAE client communicates the user's name, IP address, and group login information to the FortiGate unit. The FortiGate unit sets up a temporary access policy for the user, so when they attempt access through the firewall they do not need to re-authenticate. This model works well in environments where the FSAE client can be installed on all AD servers. In system configurations where it is not possible to install FSAE clients on all AD servers, the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated. This is achieved using the NTLM messaging features of Active Directory and Internet Explorer. Even when NTLM authentication is used, the user is not asked again for their user name and password. Internet Explorer stores the user’s credentials and the FortiGate unit uses NTLM messaging to validate them in the Windows AD environment. Note: If the authentication reaches the timeout period, the NTLM message exchange restarts. |
Components |
|
Configuration |
To select the NTLM method of user authentication on the FortiGate unit
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.