FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sandeep_FTNT
Staff
Staff
Article Id 197608
Description
Agentless NTLM authentication can be configured directly from the FortiGate to the Domain Controller using the SMB protocol (no agent is required). This authentication method is only supported for proxy policies. The set domain-controller command is only available when method is set to ntlm and/or negotiate-ntlm is set to enable.

This article describes how to configure this feature.

Solution
This needs to be configured from CLI using the commands given below, make sure LDAP is already configured on FortiGate:
#config user domain-controller
    edit <name>
        set ip-address <dc-ip>
        set port <port> - default = 445
        set domain-name <dns-name>
        set ldap-server <name>
   next
end
#config authentication scheme
    edit <name>
        set method ntlm
        set domain-controller <dc-setting>
   next
end
#config authentication rule
    edit <name>
        set srcaddr "all"
        set active-auth-method 'ntlm'
    next
 end

#config authentication setting
    set active-auth-scheme <select ntlm scheme>
 end


#config system dns
    set primary x.x.x.x -> local dns server to resolve domain name
    set secondary x.x.x.x
end
Verification:
#diagnose wad user list
ID: 178, IP: 10.120.0.174, VDOM: root
  user name   : SNDP
  duration    : 13
  auth_type   : 1
  auth_method : 2
  pol_id      : 1
  g_id        : 2
  user_based  : 0
  expire      : 593
  LAN:
    bytes_in=45885 bytes_out=55762
  WAN:
    bytes_in=49728 bytes_out=40434

auth_method = 2
                                                                <-----Means the user has been authenticated with NTLM.

Contributors