Staff

Troubleshooting Tip: Troubleshooting FortiWeb site publishing and Single Sign-On authentication issues

Forum|Forum|10 days ago
May 28, 2026
0 replies
23 views

Description

This article describes a troubleshooting methodology for FortiWeb Site Publishing and Single Sign-On (SSO) authentication issues.

Scope

Product: FortiWeb
Feature: Site Publishing, SSO
Authentication methods:
- LDAP / LDAPS
- RADIUS / 2FA
- SAML
- Kerberos / KCD
Version: FortiWeb 8.0.x and later

Solution

Overview:

FortiWeb Site Publishing allows authentication enforcement before users access backend web applications.

When SSO is enabled, authenticated users can access multiple published applications within the same SSO domain without repeated authentication prompts until the session expires.

This article provides a troubleshooting workflow for scenarios where:

Authentication fails.
Login pages do not appear.
Users are repeatedly prompted for credentials.
SSO works inconsistently across applications.
Kerberos or KCD delegation fails.
SAML authentication fails.
Backend authentication fails after successful FortiWeb authentication.

Configuration flow:

Validate the following Site Publishing configuration chain:

Remote Server

↓

Authentication Server Pool

↓

Site Publish Rule

↓

Site Publish Policy

↓

Web Protection Profile

↓

Server Policy

↓

Backend / Real Server

Validate the following GUI objects:

User -> Remote Server.
Application Delivery -> Site Publish -> Authentication Server Pool.
Application Delivery -> Site Publish -> Site Publish Rule.
Application Delivery -> Site Publish -> Site Publish Policy.
Policy -> Web Protection Profile.
Policy -> Server Policy.

Verify the following parameters:

Published Site.
URL Path.
Authentication Method.
Authentication Server Pool.
Delegation Server.
SAML Server.
KDC Server.
SPN / KCD SPN.
Backend server configuration.

Important notes: Values such as URL Path, Realm, SPN, Entity ID, and SAML parameters may be case-sensitive.

SSO considerations:

When SSO is enabled, FortiWeb uses the authentication method from the first matching Site Publish Rule within the same SSO domain. Avoid mixing authentication methods within the same SSO domain.

Example:

/app1 -> HTML Form Authentication.

/app2 -> HTTP Basic Authentication.

SSO enabled on both rules.

Recommended actions:

Use the same authentication method across applications within the same SSO domain.
Separate applications into different SSO domains when different authentication methods are required.
Disable SSO for rules that should not participate in the shared SSO workflow.

Symptom 1: Login page or authentication prompt does not appear.

Possible causes:

Site Publish Rule is not included in the Site Publish Policy.
Site Publish Policy is not selected in the Web Protection Profile.
Web Protection Profile is not applied to the Server Policy.
Published Site does not match the HTTP Host header.
URL Path does not match the request path.
Authentication Server Pool is incorrect.
URL Access Rule with action Pass takes precedence.

Validation:

Run:

curl -vk https://<FQDN>/<PATH>
curl -vk --resolve <FQDN>:443:<FORTIWEB_VIP> https://<FQDN>/<PATH>

Validate Host header matching:

curl -vk https://<FORTIWEB_VIP>/<PATH> -H "Host: <FQDN>"

If URL Access Rules are configured with the 'Pass' action, temporarily change the action to 'Continue' and re-test the authentication flow.

Symptom 2: Authentication fails.

Possible causes:

Incorrect credentials.
LDAP or RADIUS server unreachable.
Incorrect LDAP Bind DN or Base DN.
Incorrect RADIUS shared secret.
LDAPS certificate validation issue.
Authentication timeout.
Backend delegation failure.

Connectivity validation:

execute ping <AUTH_SERVER_IP>
execute traceroute <AUTH_SERVER_IP>

LDAP and RADIUS validation:

User -> Remote Server -> LDAP Server -> Test LDAP.
User -> Remote Server -> RADIUS Server -> Test RADIUS.

Backend validation:

curl -vk https://<BACKEND_FQDN>/<PATH>

Primary Site Publishing debug:

diagnose debug reset
diagnose debug duration 10
diagnose debug flow filter module-detail site-publish 7
diagnose debug flow filter flow-detail 0
diagnose debug flow trace start
diagnose debug timestamp enable
diagnose debug enable

Reproduce the issue.

Stop debug:

diagnose debug flow trace stop
diagnose debug reset

Full HTTP/WAF flow debug:

diagnose debug reset
diagnose debug duration 10
diagnose debug timestamp enable
diagnose debug flow filter client-ip <CLIENT_IP>
diagnose debug flow filter server-ip <VIP_OR_BACKEND_IP>
diagnose debug flow filter server-port 443
diagnose debug flow filter flow-detail 7
diagnose debug flow filter HTTP-detail 7
diagnose debug flow filter module-detail site-publish 7
diagnose debug flow trace start
diagnose debug enable

Verify active debug filters:

diagnose debug info

Stop debug:

diagnose debug flow trace stop
diagnose debug reset

Packet capture examples:

Client to FortiWeb:

diagnose network sniffer any "host <CLIENT_IP> and host <FORTIWEB_VIP> and tcp port 443" 3 1000

FortiWeb to backend:

diagnose network sniffer any "host <BACKEND_IP> and tcp port 443" 3 1000

FortiWeb to LDAP / LDAPS:

diagnose network sniffer any "host <LDAP_IP> and tcp port 389" 3 1000
diagnose network sniffer any "host <LDAPS_IP> and tcp port 636" 3 1000

FortiWeb to RADIUS:

diagnose network sniffer any "host <RADIUS_IP> and udp port 1812" 3 1000

Expected debug examples:

LDAP unavailable:

[SP: MAIN][WARN]:
LDAP server is down by health check, authentication failed

Interpretation:

FortiWeb cannot communicate with the LDAP server.

Verify:

Routing.
Firewall policy.
LDAPS certificates.
Health check status.
Authentication server reachability.

Authentication failure:

[SP: MAIN][DBG]:
fail to auth [401]

Interpretation:

The authentication server is reachable, but authentication failed.

Verify:

Username format.
Password.
Token format.
LDAP group membership.
RADIUS policies.

Kerberos / KCD failure:

[SP: MAIN][ERR]:
fail to AS of KCD

Interpretation:

Kerberos delegation failed.

Verify:

SPN.
KDC reachability.
Realm format.
Keytab configuration.
DNS resolution.
Time synchronization.

SAML troubleshooting:

Validate:

SAML Server object.
Entity ID.
ACS URL.
Certificates.
IdP metadata.
SP metadata.
User attribute mapping.
Time synchronization.

After modifying the SAML configuration:

Regenerate Service Provider metadata.
Reimport metadata into the IdP.
Retest authentication.

RADIUS / 2FA recommendations:

For 2FA authentication, use:

Client Authentication Method: HTML Form Authentication.
Avoid HTTP Basic Authentication for 2FA workflows.
Kerberos / KCD validation:

Validate:

KDC Server object.
Realm configuration.
SPN.
Delegation account.
Backend Kerberos support.
DNS resolution.
Time synchronization.

Kerberos validation example:

krb_test -h <BACKEND_IP_OR_FQDN> -s <HTTP_SPN> -u [USER@DOMAIN.COM](mailto:USER@DOMAIN.COM) -p '<PASSWORD>'

Expected result:

HTTP/1.1 200 OK

Authentication timeout adjustment:

If authentication server responses are delayed, increase the authentication timeout temporarily.

config system global
    set auth-timeout 10000
end

Notes:

Default value: 2000 ms.
Valid range: 1 to 60000 ms

This configuration should be used as a temporary mitigation while investigating latency or authentication server performance issues.

Troubleshooting summary:

Login page does not appear:

Verify policy chain.
Verify Published Site and URL Path.
Verify URL Access Rule behavior.

Authentication fails:

Verify credentials.
Verify LDAP or RADIUS connectivity.
Verify authentication server configuration.

Repeated authentication prompts:

Verify SSO configuration.
Verify authentication method consistency.
Verify backend authentication behavior.

SAML issues:

Verify metadata.
Verify certificates.
Verify Entity ID and ACS URL.
Verify time synchronization.

Kerberos / KCD issues:

Verify SPN.
Verify Realm.
Verify DNS.
Verify KDC reachability.
Verify delegation configuration.

Related documentation:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded