Authentication Active Directory via LDAP

Technical Bulletin

Description: FortiOS 3.0/MR4 Proxy Authentication to Windows Active Directory via LDAP without FSAE Date of Bulletin: 05-25-2007 Fortinet Engineer: David Swift (CSE) Feature developed for: ACCD SSL VPN Authentication Top3 Ticket: N/A Mantis ID: N/A Fortinet Product: Fortigates OS Version: FortiOS v3.0 MR4+ Planned PD Release version: Limitations: User passwords are proxied clear text over the internal network. Workarounds: LDAP over IPSEC or LDAPS (certification export/import process and enabling LDAPS on Windows 2000/2003 is not straight forward)

Fortinet

05/2007

Overview of Process: 1. Configure an LDAP Authentication Object on the FortiGate 2. Modify the user ldap server settings via the CLI to adjust the username, context on the AD tree, and group to use for authentication. 3. Configure SSL-VPN Authentication (or Firewall or other auth), to use the LDAP server object created in steps 1 & 2.

LDAP Active Directory Connection Options: 1. LDAP over port 389 proxy authentication is fully supported and functional, though syntax can be difficult to discern. Two options exist: a. Unbound / Anonymous Queries not supported by Microsoft Ad by default b. Bound queries any active directory account can be used to attach to active directory to check whether the proxied user / password combination are valid in the given Active Directory LDAP tree. i) The customer must create an account in active directory for the FortiGate proxy to authenticate with before it is allowed to query for other user objects and contexts (this may also be part of the reason querying LDAP via the GUI fails to return data, see figure 1) ii) bound queries are configured via the CLI with SET TYPE REGULAR on the LDAP server properties (see Figure 2). Context can be important. LDAP queries often have no problems flowing from a higher level context (point on the tree), to a lower level context, butfrom lower level (leaf level), back up, often fail. Active Directory Context Overview: Leave Object user, folder, group references with CN, or sAMAccountName DC = Domain Context - Root = Top of Tree The AD term of OU (organizational unit), is referenced as DC= CN = Common Name Root | - Users and Computers (leaf) | | | user_for_auth | | - Domain Controllers (OU) ___________________ | | DC DC ____________ __________________ | | | | DC DC DC DC -Leaf - group - user - printer

Fortinet

05/2007

Note: a folder / leaf / group like object called Users & Computers exists in the root by default, this folder is references with CN= syntax, not OU= (i.e. CN=user_for_auth,CN=Users and Computer, DC=root) 2. LDAP over IPSEC is also supported reference http://kc.forticare.com/default.asp?id=1696&SID=&Lang=1 3. LDAPS (SSL encrypted), is supported over port 636, but Windows Active Directory configuration and successful certificate importation is non-trivial. Overview of Process: Enable LDAPS on the Fortigate in the LDAP settings screen a. Change the port to 636 b. Enable LDAPS on Windows i. Configure a Certificate Authority Server (if one does not yet exist) ii. Enable Auto-Enrollment features in the Default Domain Controller Security Policy. iii. Create and Submit a request for an Auto-Enrollment Domain Controller Authentication Certificate. iv. Export the Certificate on Windows v. Import the Certificate on the Fortigate Ed Lopez may have further insight on LDAPS configuration.

Detailed configurations and supporting information: This tech note covers option 1 ldap over port 389 with links to other documents for options 2 and 3.
LDAP Server Configuration with Regular Bindings config user ldap edit "Active_Directory" set server "192.168.1.200" set cnid "cn" set dn "CN=Users,DC=isp,DC=com" set type regular set username "fortinet" set password ENC Wi3zDbQY8PZg8fvXEkwbnaKJGrKobi7g0HwRciKEtu8ALxz/KCX7N5wOC05XEURA4Tg+h next LDAP Server Configuration Using Groups & sAMAccountName edit "AD_OU" set server "192.168.1.200" set cnid "sAMAccountName" set dn "cn=Users,dc=isp,dc=com" set type regular set username "cn=fortinet,cn=Users,dc=isp,dc=com" set password ENC dL4CTnyCBv5Lhxrx5fJ0vURWpPf/1X3C3fVpDlHMFRRqTu+i71Zn1+ set group "cn=sslvpn,cn=Users,dc=isp,dc=com" next

Fortinet

05/2007

Configuration as Tested: Windows 2003 Server in VMWare Server Active Directory Tree isp.com User: fortinet used for binding queries cn=fortinet,cn=Users,dc=isp.dc=root User: hasvpn part of the sslvpn group can authenticate to LDAP and is a member of the allowed group. User: novpn can authenticate to LDAP, butcannot access SSL vpn services, not part of group.

Figure 1: Active Directory Users and Computers

Fortinet

05/2007

Figure 2: Group Membership

User: fortinet was added to the sslvpn users group for debug later.

Fortinet

05/2007

Figure 3: LDAP Query Fails Note: When Querying an LDAP Server Query will fail (though on initial connect with black fields, may return some information about the domain/ldap structure)

Fortinet

05/2007

Figure 4: Bound LDAP Queries

Note: Two Combinations work 1. cnid cn with username fortinet Or 2. cnid sAMAccountName with username cn=fortinet,cn=Users,dc=isp,dc=com

Fortinet

05/2007

Troubleshooting: 1. Test Connectivity FWF60M2906501170 # exec ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200): 56 data bytes 64 bytes from 192.168.1.200: icmp_seq=0 ttl=128 time=2.5 ms 64 bytes from 192.168.1.200: icmp_seq=1 ttl=128 time=1.8 ms 64 bytes from 192.168.1.200: icmp_seq=2 ttl=128 time=1.8 ms 64 bytes from 192.168.1.200: icmp_seq=3 ttl=128 time=2.4 ms 64 bytes from 192.168.1.200: icmp_seq=4 ttl=128 time=3.4 ms --- 192.168.1.200 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.8/2.3/3.4 ms 2. Test a User account authentication from the CLI FWF60M2906501170 # diag test auth ldap Active_Directory fortinet fortinet authenticate 'fortinet' against 'Active_Directory' failed! Figure 5: Wireshark AD not querying, but pingable

Fortinet

05/2007

3. Verify Firewall Rules allow connectivity Figure 6: Firewall Rules

Fortinet

05/2007

4. Test Connectivity (valid ARP of true AD host is replying / no proxy ARP) All Valid, but FW blocking Exec ping, diag sniffer packet with Host filter, and confirm via IPCONFIG /ALL or ifconfig the MAC address of the server. Figure 7: Debugging, response with FW rule blocking access

Fortinet

10

05/2007

5. Successful Reply (after disabling FortiClient FW) Figure 8: Debugging Valid Response

Fortinet

11

05/2007

6. Successful Reply Capture (Wireshark) Valid Response Packet Capture

7. Basic LDAP Server Configuration FWF60M2906501170 (ldap) # show config user ldap edit "Active_Directory" set server "192.168.1.200" set cnid "cn" set dn "CN=Users,DC=isp,DC=com" set type regular set username "fortinet" set password ENC Wi3zDbQY8PZg8fvXEkwbnaKJGrKobi7g0HwRciKEtu8ALxz/KCX7N5wOC05XEURA4Tg+h next

Fortinet

12

05/2007

8. Failed User Authentication (valid IP, valid mac, valid user) Failed Query

Fortinet

13

05/2007

9. Failed User Auth Packet Capture (Wireshark) Packet Capture Failed Authentication

Fortinet

14

05/2007

10. Successful Authentication with Groups Successful Authentication Test & Configurations

11. LDAP configuration with Group and sAMAccountName edit "AD_OU" set server "192.168.1.200" set cnid "sAMAccountName" set dn "cn=Users,dc=isp,dc=com" set type regular set username "cn=fortinet,cn=Users,dc=isp,dc=com" set password ENC dL4CTnyCBv5Lhxrx5fJ0vURWpPf/1X3C3fVpDlHMFRRqTu+i71Zn1+ set group "cn=sslvpn,cn=Users,dc=isp,dc=com" next

Fortinet

15

05/2007

12. Packet Capture of Successful LDAP bound query with Group Authentication

Fortinet

16

05/2007

13. Packet Capture of failed authentication (valid user, not member of group)

Fortinet

17

05/2007

14. Packet Capture Bound Query to LDAP using Group Two steps A. validate user before querying tree B. validate who is a member of the group

Fortinet

18

05/2007

Troubleshooting: 1. Verify Valid/Correct MAC (no ARP proxy reply), L3 connectivity (ping) Screens show sniffer capture with valid MAC, valid host IP, reachable source/destination, but firewall rule blocking LDAP

2. Simplify the Configuraiton remove group and filter use the simple cn =cn rather than sAMAccountName and any other non-required for initial connectivity unset any miscellaneous options (watch and remove filter )

Fortinet

19

05/2007

Active Directory User Properties / LDAP Mappings in ADSIEDIT sAMAccountName refers to the short name for a given User, and is likely the preferred choice for customers to allow the short name rather than full first,middle,last combination that cn would require.

Fortinet

20

05/2007

ADSIEDIT.MSC (Microsoft Management Console Snap-In Tool) Adsiedit.msc Microsoft Management Console plug-in (MMC.EXE) Displays Active Directory Objects in LDAP naming more closely matching Fortinet/OpenLDAP.

Fortinet

21

05/2007

Can be accessed by going to Help & Support from the start menu, then tools, the Installing Windows Support Tools (Accessing ADSIEDIT)

Fortinet

22

05/2007

Installing Windows Support Tools ADSIEDIT.MSC

Other Windows Utilities: CertReq.exe CertUtil.exe LDP.Exe Certificate Request Tool Certificate Generation Tool LDAP Browser Tool

Fortinet

23

05/2007

LDAPS on Windows 2003 AD Per Jeff Wang The LDAPS use same certificate as IIS ( HTTPS), so just try to get the CA certificate at http://x.x.x.x/certenroll/ ( x.x.x.x is your AD server IP address) and inport it to FGT on GUI:VPN:Certificate->CA certificate. config user ldap edit "ldapsrv" set server "172.18.5.14" set cnid "cn" set dn "OU=jeff,DC=test,DC=com" set port 636 set filter '' set secure ldaps set ca-cert "CA_Cert_1" next end #dia deb application fnbamd 255 fnbamd_fsm.c[739] handle_req-Rcvd auth req 5 for jeff1 in ra opt=0 prot=0 fnbamd_auth.c[169] radius_start-Didn't find radius servers (0) fnbamd_ldap.c[336] resolve_ldap_FQDN-Resolved address 172.18.5.14, result 172.18.5.14 fnbamd_ldap.c[133] set_cacert_file-CA file: '/etc/cert/ca/CA_Cert_1.cer' fnbamd_ldap.c[587] fnbamd_ldap_get_result-Auth accepted fnbamd_ldap.c[673] fnbamd_ldap_get_result-Going to DONE state res=0 fnbamd_auth.c[955] fnbamd_auth_poll-Result for ldap svr 172.18.5.14 is SUCCESS fnbamd_comm.c[128] fnbamd_comm_send_result-Sending result 0 for req 5

Fortinet

24

05/2007

Enabling LDAPS on Windows 2003 AD

1. Configure Certificate Services if Not Installed (or run the next commands on the Enterprise CA Server)

Configuring Certificate Services

Fortinet

25

05/2007

2.

Create a Certification for import to both AD and the FortiGate

http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
Certificate Request File ;----------------- request.inf ----------------[Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=RL-SERVER,OU=Domain Controllers,DC=isp, DC=COM ; the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication ;----------------------------------------------Windows Certificate Utilities:

CertUtil template Lists Valid Templates CertUtil viewstore Lists valid installed certificates Ldp.exe windows tool to verify LDAP/LDAPS connectivity (part of Windows 2000 Support Tools) CertReq new <file.inf> outputfile.req creates a request file CertReq submit attrib CertificateTemplate:DomainControllerAuthentication (submit with attribute override) CertUtil outputfile.req imports a certificate CertReq accept <file>.cer Imports a certificate

Fortinet

26

05/2007

Windows Reference Links: Enabling a Certificate Authority http://technet2.microsoft.com/WindowsServer/en/library/bc61880a-ab80-4803-a76a7646804155e91033.mspx?mfr=true Enabling Auto-Enrollment http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/auto enro.mspx Enabling Auto-Enrollment / LDAPS / INF File Syntax http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advc ert.mspx#ENSAE Microsoft Knowledge Base on LDAPS http://support.microsoft.com/kb/321051 Advanced Certificate Enrollment http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx Certificate Authority Best Practices

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Certificated Templates

http://technet2.microsoft.com/windowsserver/en/library/c71d2cd3-82ef-4e3c-87461340d0ef4e9a1033.mspx?mfr=true LDAP / IAS http://www.microsoft.com/technet/isa/2004/plan/workgroup_ee.mspx#Testing%20LDAPS%20Connec tivity

Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders. Disclaimer Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. FAQ999

Fortinet

27

05/2007