Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff

Created on ‎08-26-2024 06:35 AM Edited on ‎09-05-2024 06:14 AM By Moderator

Article Id 336440

Technical Tip: Explicit proxy authentication passes but the browser shows a certificate error and the user monitor shows the group field empty

Description

Explicit proxy authentication is common deployment  where users have to authenticate to a proxy server before in order to access the allowed resources. The configuration is sophisticated and can be difficult to troubleshoot depending on the isssue in hand. This article describes a case where the explicit proxy authentication passes, but the browser shows a certificate error and the user monitor shows the group field as empty.

 

In an explicit proxy deployment with Kerberos following examples can be such as describes here:
Technical Tip: FortiGate explicit proxy authentication with Kerberos

 

In a scenario where user authentication seems to be passing, however 'User Monitor' shows the groupname blank or empty. Also the browser – assuming HTTP is used in the authentication rule – shows a warning about the certificate and if the user proceeds the access will fail due to certificate error.

If the certificate on the browser is inspected it will show a 'Fortinet Factory' certificate instead of the certificate the admin has installed on the firewall to trust the FQDN for explicit proxy.
Scope FortiGate - Explicit Proxy.
Solution
  • While the user has denied access, it can be attributed to other factors or settings, when the user account shows on the user monitor that means the Kerberos ticket and authentication are successful.

A certificate error in this case is relevant to the untrusted certificate configured by default under the 'web-proxy global' config menu:

 

config web-proxy global

    set ssl-cert "Fortinet_Factory"

    set ssl-ca-cert "Fortinet_CA_SSL"

……………………………………………………….

end

 

  • Changing the certificate and if needed the CA certificate should allow the user to: complete the authentication with the detection of the groupname, and access the resources after successful login and the browser should present the correct certificate.

  • Reference for other possibilities when the usergroup or Kerberos authentication failed in an explicit-proxy deployment can be found at the following article link:

Troubleshooting Tip: Kerberos proxy-authentication and group lookup

 

  • To run live debug while troubleshooting explicit-proxy authentication WAD debug commands are recommended:

dia wad filter src <IP address>

dia wad debug en cat auth

dia wad debug en cat <auth or policy> ß <- Only used for single filter, not both. Can use 'dia wad debug en all' instead if not sure about the filter.

dia wad debug en level verbose

dia de en
Labels:
170
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.