This article explains how to set up Microsoft Entra Domain Services with secure LDAP and connect it to FortiGate. Follow the steps to add a custom domain, configure Entra Domain Services, enable secure LDAP, and import certificates. Command line instructions for FortiGate integration are also provided.
Scope
FortiGate.
Solution
Step 1: Set up your domain by following this article from Microsoft: Add a custom domain.
Note: When setting up the custom domain, ensure that the TXT or MX records from Azure are added to the managed domain. As shown in the screenshot below, TXT records have been created in the GoDaddy DNS Management.
It is then possible to create and configure Microsoft Entra Domain Services. Follow this guide for the full setup: Create a Microsoft Entra Domain Services instance
Step 2: Enable and configure the secure LDAP features in Microsoft Entra Domain Services: Configure secure LDAP. In this process, it will be necessary to create a certificate to upload to the LDAP settings. Just a quick tip, follow the Microsoft guide to create a certificate or create personal one on the certificate server. The important part is obtaining the CA certificate, as FortiGate requires it.
Step 3: Import the CA certificate by going to System > Certificates > Create/Import > CA Certificate > File, and select ‘Upload‘.
Step 4: Connect the FortiGate to the Azure LDAPS. Just make sure to follow the below steps.
Command Line:
config user ldap edit "Azure-LDAP" set server "172.190.141.131" -> LDAPS external IP address is listed in the Properties set server-identity-check disable set cnid "mail" # mail as Common Name Identifier set dn "dc=pitou,dc=online" -> your domain set type regular set username "[email protected]" -> your credentials set password <your-password> set secure ldaps set ca-cert "azure-ldaps-ca" -> LDAPS CA Certificate set port 636 next end
To rename the CA certificate, just follow these CLI commands:
Command Line:
config vpn certificate ca rename CA_Cert_1 to azure-ldaps-ca end
After that, the LDAPS connection status will connect.
Results:
ld = ldap_open("10.1.0.4", 389);
Established connection to 10.1.0.4.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=pitou,DC=online;
currentTime: 9/6/2023 1:16:44 PM Coordinated Universal Time;
defaultNamingContext: DC=pitou,DC=online;
dnsHostName: AM0KXYLAGGL34RH.pitou.online;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=AM0KXYLAGGL34RH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pitou,DC=online;
forestFunctionality: 7 = ( WIN2016 );
highestCommittedUSN: 203752;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: pitou.online:[email protected];
namingContexts (5): DC=pitou,DC=online; CN=Configuration,DC=pitou,DC=online; CN=Schema,CN=Configuration,DC=pitou,DC=online; DC=DomainDnsZones,DC=pitou,DC=online; DC=ForestDnsZones,DC=pitou,DC=online;
rootDomainNamingContext: DC=pitou,DC=online;
schemaNamingContext: CN=Schema,CN=Configuration,DC=pitou,DC=online;
serverName: CN=AM0KXYLAGGL34RH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pitou,DC=online;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=pitou,DC=online;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255 = ( SET_OWNER ); 1.2.840.113556.1.4.2256 = ( BYPASS_QUOTA ); 1.2.840.113556.1.4.2309 = ( LINK_TTL ); 1.2.840.113556.1.4.2330; 1.2.840.113556.1.4.2354;
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='user1'; Pwd=<unavailable>; domain = 'pitou.online'}
Authenticated as: 'PITOU\user1'.-->FINALLY AUTHENTICATED
-----------