Fortinet 226 FortiWeb 5.0 Patch 6 Administration Guide
3. Configure authorization rules for each user group. See “Applying user groups to an
authorization realm” on page 238.
4. Group authorization rules into an authorization policy. See “Grouping authorization rules” on
page 240.
5. Select the authorization policy in an inline protection profile. See “Configuring a protection
profile for inline topologies” on page 468
6. Select the inline protection profile in a server policy. See “Configuring a server policy” on
page 483.
When you have configured HTTP authentication
1. If the client’s initial request does not already include an Authorization: field in its HTTP
header, the FortiWeb appliance replies with an HTTP 401 Authorization Required
response. The response includes a WWW-Authenticate: field in the HTTP header that
indicates which style of authentication to use (basic, digest, or NTLM) and the name of the
realm (usually the name, such as “Restricted Area”, of a set of URLs that can be accessed
using the same set of credentials).
2. The browser then prompts its user to enter a user name and password. (The prompt may
include the name of the realm, in order to indicate to the user which login is valid.) The
browser includes the user-entered info in the Authorization: field of the HTTP header
when repeating its request.
Figure 35:An HTTP authentication prompt in the Google Chrome browser
Valid user name formats vary by the authentication server. For example:
• For a local user, enter a user name in the format username.
• For LDAP authentication, enter a user name in the format required by the directory’s
schema, which varies but could be a user name in the format username or an email
address such as username@example.com.
• For NTLM authentication, enter a user name in the format DOMAIN/username.
3. The FortiWeb appliance compares the supplied credentials to:
• the locally defined set of user accounts
• a set of user objects in a Lightweight Directory Access Protocol (LDAP) directory
• a set of user objects on a Remote Authentication and Dial-in User Service (RADIUS)
server
• a set of user accounts on an NT LAN Manager (NTLM) server