Providing single sign-on in advanced mode for a
Windows AD network
Using Fortinet Single Sign-On, the FortiGate unit automatically authenticates any
user that successfully logs into Windows. The Domain Controller agent Advanced
mode has the advantage of supporting nested or inherited user groups. If Standard
mode is used, the FortiGate unit can authenticates only users who are a direct
member of a group.
1. Configuring the DC agent for Advanced mode
2. Configuring the DC agent as an FSSO agent
3. Creating an FSSO user group
4. Creating an identity-based security policy
5. Results
Internet
FortiGate
FSSO Agent
Windows AD
Internal Network
Configuring the DC agent
for Advanced mode
Log on to the Windows server where the DC
agent is installed. Go to All Programs >
FortiNet > Fortinet Single Sign On Agent
> Configure Fortinet Single Sign On
Agent.
Select Directory Access Information and
set AD Access mode to Advanced.
The rest of the configuration is done on the
FortiGate unit.
Configuring the FSSO agent
Go to User & Device > Authentication >
Single Sign-On to enter the information the
FortiGate unit needs to access the DC agent.
After you select Apply & Refresh, the
Windows AD groups are listed. This confirms
that the FortiGate unit can communicate with
the DC agent.
On a Windows AD network with a large
number of groups, the FortiGate unit’s
performance might be affected by the
volume of user logon information it
receives. Use the Set Group Filters
function of the DC agent to send
information only for the groups you intend
to authenticate.
Creating an FSSO user
group
Select the Windows AD groups to include in
the FortiGate FSSO user group.
Creating an identity-based
security policy
Create an identity-based security policy that
uses the FSSO user group that you created.
Results
The Windows AD user, having authenticated
at logon, does not have to authenticate again
to connect to the Internet.