KERBEROS Authentication for Explicit Proxy rule fails

Hello Jasys, 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Hello again Jasys,

I found this solution. Can you tell us if it helps, please?

To troubleshoot the issue with Kerberos authentication for the explicit proxy rule, let's break down the potential areas where the problem might be occurring:

1. Kerberos Configuration:

• Keytab File: Ensure that the keytab file is correctly configured and associated with the FortiGate. The principal name in the keytab should match the service principal name (SPN) used by the FortiGate.
• Encryption Type: Verify that the encryption type used in the keytab file is supported by both the client and the FortiGate. The context mentions enabling AES256-SHA1 encryption on the service account, which should be reflected in the keytab.

2. FortiGate Configuration:

• Authentication Scheme: Double-check the configuration of the authentication scheme. Ensure that the method is set to negotiate and that the correct keytab is specified.
  
  

  config authentication scheme     edit "KRB2"         set method negotiate         set negotiate-ntlm disable         set kerberos-keytab "service_fortigate2"     next end 

• Proxy Policy: Ensure that the explicit proxy policy is correctly configured to use the Kerberos authentication scheme.
  
  

  config firewall proxy-policy     edit 1         set name "KRB2_policy"         set proxy explicit-web         set dstintf "port1"         set srcaddr "all"         set dstaddr "all"         set service "webproxy"         set schedule "always"         set logtraffic disable         set groups "KRB"     next end 

3. Client-Side Configuration:

• Browser Settings: Ensure that the browser is configured to use the FortiGate as a proxy and that the correct port is specified (e.g., 8080).
• Kerberos Tickets: Use the klist command to verify that the client has obtained the correct Kerberos tickets. The ticket should be for the HTTP service on the FortiGate.

4. Debugging:

• WAD Debug Logs: Use the WAD debug logs to identify any errors during the Kerberos authentication process. The command to obtain these logs is:
  
  

  diagnose wad filter process-id-by-src <IP_address_of_client> diagnose wad debug enable level verbose diagnose wad debug enable category auth diagnose wad debug enable category http diagnose debug console timestamp enable diagnose debug enable 

Final steps and follow-ups:

• Cross-Check Configurations: Revisit each configuration step to ensure no detail is overlooked.
• Consult Documentation: Refer to the Fortinet documentation for any additional configuration details or updates.
• Community and Support: If the issue persists, consider reaching out to Fortinet support or community forums for further assistance.

If these steps do not resolve the issue, it may be beneficial to provide specific error messages from the WAD debug logs for more targeted troubleshooting.

Hi Jasys, 

Please run the commands mentioned in the KB on the FortiGate; the logs will show the exact issue.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-explicit-proxy-authentication-with/ta-p/206219

Turned out it was blinking NTP! thanks all! gate and the time source, were the same, but the gate was using Fortiguard NTP, I switched it to the server, and it seemed to fix it! strange!