Versions Compared

Old Version 24

changes.mady.by.user Josh Hiner

Saved on

compared with

New Version 25

changes.mady.by.user Josh Hiner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Fortigate FSSO AD Collector Method WITH Agent

...

  1. Time to configure the FortiGate. Log in and go to the appropriate Vdom.
  2. Optional but HIGHTLY recommended: Under the vdom go to: config user setting and then set "set auth-on-demand
     
  3. Go to User&Device
  4. Make sure "NewREMC1Sha2-CA is selected for certificate.
  5. Make sure (via the cli) that set auth-ca-cert is set to "NewREMC1Sha2-CA"
  6. ssh to fortigate→config vdom → edit vdomnamehere→config user setting→set auth-ca-cert "NewREMC1Sha2-CA" (Yes both certs must be set to this per Fortinet instructions in a ticket I had with them).

  7. Click the User Section->User&Device→LDAP Servers

  8. Create new (button on top left)
  9. Name it after your servers FQDN ( eg: file1.remc1.adremc1.org)
  10. Server Port 389 (for REMC1 our standard is to use 636 LDAPS so use this)
  11. Common Name Identifier switch to: sAMAccountName
  12. For Distinguished name just use the base of your domain. You can change it later if you really want but its not necessary. Eg: dn=remc1, dn=adremc1, dn=org
  13. Bind Type: Regular
  14. Username (MAKE A NEW USER IN YOUR AD INFRASTRUCTURE. REMC1 STANDARD IS DISTRICT ABBREVIATION+FSSO EG: remc1fsso. Give it domain admin (easy) or simply rights to authenticate for your whole domain OU structure (more complicated. Not gone over here).
  15. DO NOT use administrator for the previous step. If you have to change it (and you should do so on a schedule) you disconnect the fortigate until you fix it there. You should never link administrator to services.
  16. If you are connecting via LDAPS (RECOMMENDED and is the REMC1 standard or everything flows plain text) then click the "Secure Connection" switch.
  17. Here you need to select your servers CA certificate. The Fortigate needs to trust your servers server certificate therefore it needs your CA (certificate authority) public cert uploaded and selected here to trust. REMC1 may have to do this for you. If you don't have a CA (you should...) then use unsecure ldap/normal ldap on port 389. You should add a CA.
  18. Click the OK button. Now you can go back in and click the "test connectivity" button.
  19. Add any more LDAP servers you might have.
  20. Go to User&Device→Single Sign-On
  21. Click Create new button on the top of the right pane (If you're adding a second collector/fsso agent then edit the already-existing Directory Server definition for that domain and add the new server to the next open FSAE Collector IP/Name field and click ok. Skip to step 18
  22. Name it the FULL DNS name of the domain example: remc1.adremc1.org  as the name will represent what domain the FSSO setup is pointing to.
  23. Add the new server to the first open FSAE Collector IP/Name field, put in the secret you create and record in LastPass (or the password manager you use for your district).
  24. Click Advanced (for Collector Agent AD access mode)
  25. For the LDAP server select one of the LDAP servers you added above.
  26. Click apply and refresh button
  27. You should now see an OU tree on the left side and user/group/org units on the left side.
  28. Click the Recursive switch on the left side pane above the Object Unit/Distinguished name browsing section.
  29. On the Right side start enabling groups you want to map to Fortigate groups.  Its easiest to search for the groups you want to add. 
  30. For each group right click and select "add selected"
  31. You should see the "selected" counter (third tab over) increase for every group you add.
  32. When done click on the "Selected" tab making sure all is ok.
  33. Click OK

  34. Now, on the left side click the User&Device section->User Groups

  35. Add a new group by clicking "create new" on top of the right pane  

  36. Name it very descriptive like "LakeLindenStaffInternet

  37. Set the group type: Fortinet Single Signon (FSSO)
  38. Under Members click the Plus sign and add the appropriate group(s) you enabled in the Single Sign-on setup. If you dont see a group you need go back to the Single-Signon setup and enable that group. Come back here and add it.
  39. Once you have added all your groups you can move on to the Firewall rule setup.

...

  • If this is a Chrome device you have to push and trust the cert to all devices. This works OK from the root domain but subdomains still may not trust a pushed CA. The cert will push but not trust. Could be a still open/historic Google Admin bug.
  • You didnt push out the CA Certificate selected under Users & Devices→Authentication Settings to your clients. Push it via GPO and/or Kace and/or Google Console.
  • Make sure "NewREMC1Sha2-CA is selected for certificate.
  • Make sure (via the cli) that set auth-ca-cert is set to "NewREMC1Sha2-CA"
  • ssh to fortigate→config vdom → edit vdomnamehere→config user setting→set auth-ca-cert "NewREMC1Sha2-CA" (Yes both certs must be set to this per Fortinet instructions in a ticket I had with them).


...



Browser config for NTLM FSSO Authentication

 

Make the following changes in group policy or Kace if possible. NOT individually on each machine. 

...