NTLM Authentication

The FSAE software is installed on each AD server and the FortiGate unit is configured to communicate with each FSAE client. When a user successfully logs into their Windows PC (and is authenticated by the AD Server), the FSAE client communicates the user's name, IP address, and group login information to the FortiGate unit. The FortiGate unit sets up a temporary access policy for the user, so when they attempt access through the firewall they do not need to re-authenticate. This model works well in environments where the FSAE client can be installed on all AD servers.

In system configurations where it is not possible to install FSAE clients on all AD servers, the FortiGate unit must be able to query the AD servers to find out if a user has been properly authenticated. This is achieved using the NTLM messaging features of Active Directory and Internet Explorer.

Even when NTLM authentication is used, the user is not asked again for their user name and password. Internet Explorer stores the user’s credentials and the FortiGate unit uses NTLM messaging to validate them in the Windows AD environment.

• Microsoft Windows network with Active Directory (AD) servers

• FortiGate unit

• Client PCs running Windows operating system and using Internet Explorer

To select the NTLM method of user authentication on the FortiGate unit

1. Go to Firewall> Policy.
2. Select the Edit icon for the firewall policy you want to modify.
3. Select Authentication and then select NTLM Authentication from the list.
4. In the Available Groups list, select the user groups who can authenticate to this firewall policy. Select the right arrow button to move them to the Allowed list.
5. Select OK.