FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Explicit proxy authentication is common deployment where users have to authenticate to a proxy server before in order to access the allowed resources. The configuration is sophisticated and can be difficult to troubleshoot depending on the isssue in hand. This article describes a case where the explicit proxy authentication passes, but the browser shows a certificate error and the user monitor shows the group field as empty.
In a scenario where user authentication seems to be passing, however 'User Monitor' shows the groupname blank or empty. Also the browser – assuming HTTP is used in the authentication rule – shows a warning about the certificate and if the user proceeds the access will fail due to certificate error.
If the certificate on the browser is inspected it will show a 'Fortinet Factory' certificate instead of the certificate the admin has installed on the firewall to trust the FQDN for explicit proxy.
Scope
FortiGate - Explicit Proxy.
Solution
While the user has denied access, it can be attributed to other factors or settings, when the user account shows on the user monitor that means the Kerberos ticket and authentication are successful.
A certificate error in this case is relevant to the untrusted certificate configured by default under the 'web-proxy global' config menu:
config web-proxy global
set ssl-cert "Fortinet_Factory"
set ssl-ca-cert "Fortinet_CA_SSL"
……………………………………………………….
end
Changing the certificate and if needed the CA certificate should allow the user to: complete the authentication with the detection of the groupname, and access the resources after successful login and the browser should present the correct certificate.
Reference for other possibilities when the usergroup or Kerberos authentication failed in an explicit-proxy deployment can be found at the following article link:
To run live debug while troubleshooting explicit-proxy authentication WAD debug commands are recommended:
diagnose wad filter src <IP address>
diagnose wad debug enable cat auth
diagnose wad debug enable cat <auth or policy> ß <----- Only used for single filter, not both. Use 'diagnose wad debug enable all' instead, if not sure about the filter.
