Configuring Single Sign On to Windows AD

Configuring Single Sign On to Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate unit.

To configure your FortiGate unit to operate with either a Windows AD or a Novell eDirectory FSSO install, you

  • Configure LDAP access to the Windows AD global catalog. See Configuring LDAP server access on page 546.
  • Configure the LDAP Server as a Single Sign-On server. See Configuring the LDAP Server as a Single Sign-On server on page 547.
  • Add Active Directory user groups to FortiGate FSSO user groups. See Creating Fortinet Single Sign-On (FSSO) user groups on page 548.
  • Create security policies for FSSO-authenticated groups. See Creating security policies on page 548.
  • Optionally, specify a guest protection profile to allow guest access. See Enabling guest access through FSSO security policies on page 550

 

Configuring LDAP server access

The FortiGate unit needs access to the domain controller’s LDAP server to retrieve user group information.

The LDAP configuration on the FortiGate unit not only provides access to the LDAP server, it sets up the retrieval of Windows AD user groups for you to select in FSSO. The LDAP Server configuration (in User & Device > Authentication > LDAP Servers) includes a function to preview the LDAP server’s response to your distinguished name query. If you already know the appropriate Distinguished Name (DN) and User DN settings, you may be able to skip some of the following steps.

 

To add an LDAP server – web-based manager:

1. Go to User & Device > Authentication > LDAP Servers and select Create New.

2. Enter the Server IP/Name and Server Port (default 389).

3. In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn.

This is correct for most LDAP servers. However some servers use other identifiers such as uid.

4. In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished

Name is dc=techdoc,dc=local

5. Select Fetch DN, this will fetch the Windows AD directory.

6. Set Bind Type to Regular.

7. In the User DN field, enter the administrative account name that you created for FSSO.

For example, if the account is administrator, enter “administrator@techdoc.local”.

8. Enter the administrative account password in the Password field.

9. Optionally select Secure Connection.

  • In the Protocol field, select LDAPS or STARTTLS.
  • In the Certificate field, select the appropriate certificate for authentication. Note that you need to configure the Windows AD for secure connection accordingly.

10. Select OK.

11. Test your configuration by selecting the Test button. A successful message confirming the right settings appears.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.