We had to install a Fortinet Fortigate 300C cluster. You may wish to integrate your firewall cluster into Active Directory to facilitate AD based administrative and VPN logins. This guide is based on FortiOS v4.0 MR3 Patch 8 (v4.0,build0632,120705 (MR3 Patch 8)).

Configure DNS

The first thing to do is to ensure your Fortigate's DNS is configured to point to your Active Directory servers. Go to Network -> DNS to review and edit your DNS settings.

Configure LDAP

Then you need to configure LDAP. So go to User -> Remote -> LDAP and Create a new LDAP entry. You will need to create an LDAP entry for each domain controller:

Windows Server uses sAMAccountName and the Common Name (CN) Identifier. Your Distinguished Name is typically your top level AD DN. You need to do a Regular bind to AD and as a result you will need to specify the user that has access to AD to make queries. In this case the user LDAPBindFortinet was created explicitly with a non-expiring password. The User DN is CN=LDAPBindFortinet,OU=Services,OU=FireDaemon,DC=firedaemon,DC=int. Make sure you test connectivity and that you can successfully browser the directory. If you are having trouble divining CNs and DNs try browsing your directory with Softerra's LDAP Administrator.

Configure User Group

You will now need to create a remote authentication user group. So go to User -> User Group -> User Group.  Name it appropriately then add in your two Active Directory servers. Your users will ideally need to be in a group to permit firewall or VPN access. In this example, the group the users are in is: 

CN=FortinetUsers,OU=Groups,OU=FireDaemon,DC=firedaemon,DC=int.

You can obtain this DN by browsing the user and looking at their MemberOf attribute.

Add remote users

Lastly, you will need to add remote users (in this case for firewall configuration). Go to System -> Admin -> Administrators and add remote users.

You should now be able to login as a domain user to your Fortigate: