Skip to main content
TBC
TBC
Explorer
February 23, 2022
Solved

fortiweb sso login problem with Satisy

  • February 23, 2022
  • 2 replies
  • 6307 views

Hello,

we have a Webserver at backend with following configuration:

Ubuntu 20.04

apache 2.4

PHP 7.4

Software GLPI

Kerberos SSO

If we unsing on windows pc the internal url (fqdn) from Webserver the user loged in automaticly.

Parameter Satisfy Any is disbaled in that case!

 

If we using external Fortiweb URL we enter user an password we get this Browser Message:

 

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

 

If we aktivate Satisfy Any in apache ssl config the login with external (over fortiweb) is woking after enter Credentials.

But with this configuration, the login with internal URL require a authentcation.

 

On Fortiweb we have as Site Publish rule this:

TBC_0-1645628461541.png

 

Can someone tell me what is wrong

many thanks for helping

Best answer by ddsouza_FTNT

@TBC No problem :) HTTP Service Principal Name looks okay for me.  Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?

For example...

ddsouza_FTNT_0-1646146249728.png

If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .

2 replies

A
Anonymous_User
Contributor
February 26, 2022

Hello @TBC ,

 

Thank you for posting to the Fortinet Community Forums. We appreciate your patience. We will have someone soon helping you with this query.

TBC
TBCAuthor
Explorer
February 28, 2022

Hello,

i have find out how the configuration from apache needs to look to get it work:

<Location />
AuthType Kerberos
AuthName "SSO-Authentication"
KrbAuthRealms LOCAL.COM
KrbServiceName HTTP/FQDN
Krb5Keytab /etc/krb5_ssot.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Location>

 

With that one it works!

wrbgrds

TBC

 

ddsouza_FTNT
Staff
ddsouza_FTNT
Staff
March 1, 2022

@TBC Judging from what I've seen so far in this post thread, Auth delegation is set to "Basic Authentication" in the Fortiweb site publish configuration whereas on the Apache it is set to Kerberos. Could you please switch the Authentication delegation type in the site publish configuration to "Kerberos" and set the "Delegated HTTP Service Principal Name" and see whether the issue still persists? 

ddsouza_FTNT
Staff
ddsouza_FTNT
Staff
March 3, 2022

@TBC No problem. Perfect! Glad to know that the issue has been resolved :) 

Terms & ConditionsAccessibility statement