Skip to main content
Wurstsalat
Wurstsalat
Explorer
April 20, 2022
Solved

FortiOS explicit Proxy Kerberos Authentication High Availability/Failover Setup

  • April 20, 2022
  • 3 replies
  • 3151 views

Hi there,

 

after we resolved our problem with the general functionality with Kerberos Auth and explicit Proxy (Solved: Re: FortiOS 6.0 Explicit Proxy Kerberos problem - Fortinet Community), we thought about how to get an failover/ha setup while our domain controller all can be used as KDC

 

We followed these steps Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library with additonal steps in the mentioned thread before. Also have read this Technical Tip : Configuring FortiProxy Kerberos au... - Fortinet Community

But in any examples, handbooks we are aware....there is this part of the config

config user krb-keytab
    edit "http_service"
        set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server
        set ldap-server "dc01" <<< the defined ldap server for authorization
        set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup
    next
end

 

Have a look at the red highlight. We only can define one ldap server, no second one, no backup, nothing. So if this single server fails the whole thing is broken. 

So how to fix this single point? Any ideas? 

 

Thanks in advance

Best answer by aahmadzada

Hi,

Under the LDAP Server, you can define Primary and secondary LDAP servers

So your LDAP server entry will have two LDAP servers:

 

Primary
Secondary

 

Ahmad

3 replies

aahmadzada
Staff
aahmadzadaAnswer
Staff
April 20, 2022

Hi,

Under the LDAP Server, you can define Primary and secondary LDAP servers

So your LDAP server entry will have two LDAP servers:

 

Primary
Secondary

 

Ahmad

    pminarik
    Staff
    pminarik
    Staff
    April 20, 2022

    You can configure up to three server-addresses in the LDAP server object's configuration (CLI-only): set secondary-server + set tertiary-server.

     

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Secondary-LDAP-server-IP-configuration/ta-p/196248

      Wurstsalat
      WurstsalatAuthor
      Explorer
      April 20, 2022

      thanks @pminarik @aahmadzada 

       

      A bit confusing that most examples (and handbook) talk about config user ldap and then "edit" servername instead of domain name/realm which makes much more sense when theres a second and third server which can be defined. Thanks again to pointing me again in the right direction 

      Terms & ConditionsAccessibility statement