Microsoft Active Directory
Supports authentication against multiple domain controllers that can be a part of the same Active Directory to provide resilience, or they can be in different Active Directories. FortiGuest can authenticate users from separate domains, even where no trust relationship is configured. All Active Directory authentications are performed against individual domain controller entries. FortiGuest attempts to authenticate users against each domain controller entry according to the authentication order specified in the authentication settings.
Note: In case the following security settings are configured in the domain controller, then the encryption type should not be None.
- Domain controller - LDAP server signing requirements are set to Require Signing.
- Network security - LDAP client signing requirements set to Negotiate signing or Require signing.
Configure the following fields to enable Active Directory authentication.
- Server - The Hostname or IP address of the Active Directory server.
- Port - The port number of the Active Directory server.
- Encryption - The desired encryption method of the Active Directory server.
- AD Domain - Enter the domain name of the Active Directory.
- Base DN - This is the Distinguished Name of the domain controller. It is the name of the root of the directory tree and informs FortiGuest where to start the group searches from. For example, the base DN for the domain cca.xyznetworks.com is DC=cca,DC=xyznetworks,DC=com.
Note: The AD Domain and Base DN are populated when you enter the Active Directory Server details. - Admin Bind DN and Admin Password - To authenticate a user account the client must bind to the Active Directory server using the bind DN and password of the user account. A Bind DN example is, cn=username,ou=users,dc=FortiGuest, where username is that of the user account.