Staff

Technical Tip: Issue on keytab when configuring Kerberos authentication with a FortiProxy

Forum|Forum|3 years ago
August 17, 2022
0 replies
1179 views

Description

This article describes how to encode the keytab to base64 when configuring Kerberos authentication.

Scope

If unable to configure the keytab follow through the guidelines at:

https://docs.fortinet.com/document/fortiproxy/2.0.2/fortiproxy-authentication-guide/314108/configuration-examples

Solution

Use certutil (Windows Server 2016 native tool) to encode fortifpx.keytab file to Base64; the output is used for the FortiProxy keytab.

certutil -encode <keytab> <encode-file-name>

For example in Windows Server:

C:\Users\Administrator>certutil -encode fpxkvm.keytab fpxkvm-base64

Note.

Open the encoded output (fpxkvm-base64) with Notepad to retrieve the content.

The following will be visible.

Note.

The content of the encoded output will be configured as ketyab.

Apply the keytab to FortiProxy:

config user krb-keytab

fortifpx (krb-keytab) # edit http_service
new entry 'http_service' added

fortifpx (http_service) # set principal HTTP/fortifpx.mk1.com@MK1.COM

fortifpx (http_service) # set ldap-server LDAP

fortifpx (http_service) # set keytab "BQIAAAA4AAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAAQAIdmSMihnZGT0AAAA4AAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAAwAIdmSMihnZGT0AAABAAAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAFwAQFvRuHGNyZDrYZRwGKhKpuwAAAFAAAgAHTUsxLkNPTQAESFRUUAAQZm9ydGlmcHgubWsxLmNvbQAAAAEAAAAAAwASACDguExSNSVB9O1FD+S5OTGulRfPDBi0YelL/s152baiJAAAAEAAAgAHTUsxLkNPTQAESFRUUAAQZm9ydGlmcHgubWsxLmNvbQAAAAEAAAAAAwARABAhcLODf38dBzNWC3HL7WuV"

Note:

Make sure those encoded contents are 'word wrap'. Started from v7.2.x, do not need to convert the keytab file to base64 code.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded