By Manny Fernandez

April 20, 2019

Secure LDAP and AD Password Change via Forticlient

First of all, I wanted to give credit to a good friend of mine (Brian Modlin) that hit me up with this question and since I was busy as hell, he figured it out and told me about it. I recreated it in my lab and here it is.

First, we are going to configure Secure LDAP (LDAPS) to communicate to our lab DC, then we will make the modifications to permit the password expiring message and then enable the password change.

Secure LDAP (LDAPS)

For this step, we will need to connect to the Domain Controller (of CA server).

2019-04-19_19-25-37

Go to run, then choose ‘mmc‘ and hit enter.

2019-04-19_19-26-34

You are going to want to ‘Add/Remove Snap-in…‘ or CTRL M

2019-04-19_19-26-50

Next we are going to choose (1) ‘Certificates‘ then click the (2) ‘Add‘ button, and then the (3) ‘OK‘.

2019-04-19_19-27-08

Ensure that you choose ‘Computer Account‘ and then ‘Next

2019-04-19_19-29-02

Select (1) ‘Personal‘, ‘Certificate‘ (2) Choose your CA certificate, (3) Right Click on the certificate and choose ‘All Tasks‘ Then choose (4) ‘Export‘.

2019-04-19_19-29-31

If you are seeing the above screen, then you are doing fine.  Hit ‘Next‘.

2019-04-19_19-29-57

Choose ‘No, do not export the private key‘ and choose ‘Next

2019-04-19_19-30-13

It should default to ‘DER‘ but if not, choose it and hit ‘Next

2019-04-19_19-31-38

Choose the path and file name you want to use and hit ‘Next

2019-04-19_19-31-53

Now choose ‘Finish

2019-04-19_19-31-59

Once you get ‘The export was successful‘ hit the ‘OK‘ button.

Importing certificate into Fortigate

Log into your Fortigate.

important-turning-50-in-2016-9-stars-who-are-turning-50-clipart-HIhmKC

NOTE: If you have not already done so, navigate to ‘System‘ then ‘Feature Visibility‘ and ensure you have ‘Certificates‘ selected.

2019-04-19_19-39-56

Under the ‘Certificates‘ section, choose ‘Import‘ then ‘CA Certificate‘  Once the certificate is imported you can rename the certificate into something meaningful.

LAB-FW-01 # config vpn certificate ca
LAB-FW-01 (ca) # rename CA_Cert_1 to LDAPS-CA
LAB-FW-01(ca) # end

Creating the LDAPS Profile

Now we are going to configure the Fortigate to use the certificate we exported and the Domain Controller to do authentication.  Note, you will need to have a ‘Domain Admin’ service account ready to go for this.

2019-04-19_19-42-52

Navigate to ‘Users & Device‘ then choose ‘LDAP Servers‘ then choose ‘Create New

2019-04-19_19-47-21

The screenshot above is busy, so lets unpack it:

Aside from entering the Name and IP Address for your Domain Controller, you will need to set the (1) ‘Server Port‘ to ‘636‘.  Change the ‘Common Name Identifier‘ to ‘sAMAccountName‘ (YES IT IS CASE SENSITIVE). Then choose (2) ‘Regular‘ as the ‘Bind Type‘, (3) enter the service account and password (you can use the @domain or the LDIF format (e.g. cn=X,dc=y,dc=com), I think this one is easier though), (4) Tick the ‘Secure Connection‘ button.  Next choose the (5) ‘LDAPS‘ under ‘Protocol‘, next choose the drop-down and choose the (6) Certificate we imported and renamed (if you renamed it). Test the connectivity by clicking (7) ‘Test Connectivity‘ and look for the ‘Successful‘ .

Creating the LDAPS Group

2019-04-19_21-47-12

Now we will create the Secure LDAP group.  Navigate to (1) ‘User & Device‘ and choose (2) ‘User Groups’, then (3) ‘Create New‘.

2019-04-19_21-48-09

Give the groups a (1) ‘Name‘ then go down to the ‘Remote Groups‘ and choose (2) ‘Add

2019-04-19_21-48-37

Drop-down and choose ‘LDAPS-DC01‘ (obviously choose the name of the LDAP server you created).

2019-04-19_21-49-04

Choose your (1) Group Name and hit the (2) ‘search button‘, then select the group name and right-click on it.

2019-04-19_21-49-39

When you right-click, you will see the ‘Add Selected‘… click it.

Modifying the VPN Configuration

2019-04-19_21-50-28

Navigate to (1) ‘VPN‘, then choose (2) ‘SSL-VPN Settings

2019-04-19_22-03-51

Under the ‘Authentication/Portal Mappings‘ choose ‘Create New

2019-04-19_21-51-02

Once here, choose the (1) LDAPS group you created above, then choose the (2) ‘Portal‘ (In my case, I am using the ‘full-access‘ portal.

important-turning-50-in-2016-9-stars-who-are-turning-50-clipart-HIhmKC

NOTE:  Remove any duplicate access of other non-secure LDAP servers as you want to ensure that the logins are secure.

Results

image (1)

As you can see above, the ‘Your password expired. Please provide a new one‘ message is visible for the user in question.

Hope this helps.

 

 

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story