Technical Tip: How to debug Kerberos authentication in FortiProxy

This article describes a working WAD debug flow for Kerberos authentication as an authentication method.

In this scenario, the FortiProxy has enforced a challenge to the client browser with Kerberos as an authentication method.

Kerberos Authentication Flow:

The following command can be used to capture and save the WAD debug outputs:

diagnose wad filter src <IP address>

diagnose wad debug enable category auth

diagnose wad debug enable category policy

diagnose wad debug enable category http

diagnose wad debug enable level verbose

diagnose debug application fnbamd -1

diagnose debug enable

To stop debug:

diagnose debug disable

diagnose debug reset

Example of debugging outputs.

1. The client browser sends an HTTP/1.1 connect method request toward the destination URL.
   
   

2. The connection request was interrupted by FortiProxy to challenge an HTTP/1.1 407 proxy authentication required with negotiate (Kerberos) authentication as a preferred method.
   
   

3. The client browser responds to a connect method request with a Kerberos service ticket (TGT) provided.

    

4. FortiProxy will decipher the client Kerberos service ticket (TGT) with the configured keytab to extract the user name used for the LDAP query.
   
   

5. FortiProxy to perform a proper lookup against the LDAP server for user and group membership matching.
   
   

6. Authentication result showed success, the FortiProxy allowed destination website access with an HTTP/1.1 200 OK.

Related articles:

Technical Tip: FortiGate explicit proxy authentication with Kerberos

Technical Tip: Configure FortiProxy for multidomain Kerberos authentication