Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 227 FortiWeb 5.0 Patch 6 Administration Guide

4. If the client authenticates successfully, the FortiWeb appliance forwards the original request

to the server.

If the client does not authenticate successfully, the FortiWeb appliance repeats its HTTP 401

Authorization Required response to the client, asking again for valid credentials.

5. Once the client has authenticated with the FortiWeb appliance, if FortiWeb applies no other

restrictions and the URL is found, it returns the web server’s reply to the client.

If the client’s browser is configured to do so, it can cache the realm along with the supplied

credentials, automatically re-supplying the user name and password for each request with a

matching realm. This provides convenience to the user; otherwise, the user would have to

re-enter a user name and password for every request.

See also

• Configuring local end-user accounts

• Configuring queries for remote end-user accounts

• Applying user groups to an authorization realm

• Grouping authorization rules

• Single sign-on (SSO)

Configuring local end-user accounts

FortiWeb can use local end-user accounts to authenticate and authorize HTTP requests to

protected web sites. For details, see “Offloading HTTP authentication & authorization” on

page 225.

To configure a local user

1. Go to User > Local User > Local User.

To access this part of the web UI, your administrator's account access profile must have

Read and Write permission to items in the Auth Users category. For details, see

“Permissions” on page 47.

2. Click Create New.

Advise users to clear their cache and close their browser after an authenticated session.

HTTP itself is stateless, and there is no way to actively log out. HTTP authentication causes

cached credentials, which persist until the cache is cleared either manually, by the user, or

automatically, when closing the browser window or tab. Failure to clear the cache could allow

unauthorized persons with access to the user’s computer to access the web site using their

credentials.

Clear text HTTP authentication is not secure. All user names and data (and, depending on

the authentication style, passwords) are sent in clear text. If you require encryption and other

security features in addition to authorization, use HTTP authentication with SSL/TLS (i.e.

HTTPS) and disable HTTP. See HTTP Service and HTTPS Service.

previous next