SSO with Windows AD or Novell

Chapter 1 What’s New for FortiOS 5.0 : Authentication: users and devices : SSO with Windows AD or Novell

The FortiGate unit can authenticate users transparently based on their Windows Active Directory (AD) or Novell eDirectory privileges. This means that users who have logged on to the network are not asked again for their credentials to access network resources through the FortiGate unit, hence the term “Single Sign-On”.

FSSO Collector agent and DC agent have been tested on Windows Server 2003, 2008 and 2012.

On a Microsoft Windows or Novell network, users authenticate with the Microsoft AD or Novell eDirectory at logon. It would be inconvenient if users then had to enter another username and password for network access through the FortiGate unit. FSSO agents installed on the network provide user information, such as IP address and user group memberships, to the FortiGate unit. Security policies on the FortiGate unit allow network access based on the user groups to which the user belongs.

There are several mechanisms for passing user authentication information to the FortiGate unit:

• FSSO Collector agent software installed on a Windows AD network monitors user logons and sends the required information to the FortiGate unit. The FSSO software can obtain this information by polling the AD domain controllers or by using an FSSO agent on each AD domain controller that monitors user logons in real time.New in FortiOS 5.0, a FortiGate unit can obtain group information directly from AD using Lightweight Directory Access Protocol (LDAP).

• On a Windows AD network, the FSSO software can also serve NT LAN Manager (NTLM) requests coming from client browsers (forwarded by the FortiGate unit) with only one or more Controller agents installed.

• FSSO eDirectory agent software installed on a Novell network monitors user logons and sends the required information to the FortiGate unit. The agent can obtain information from the Novell eDirectory using either the Novell API or LDAP.

• A FortiAuthenticator server can act as a replacement for the Collector agent in polling mode in a Windows AD network. FortiAuthenticator can also be configured with internal or external LDAP and RADIUS servers. For more information, see the FortiAuthenticator Administration Guide.