Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kaman
Staff
Staff

Created on ‎12-04-2025 12:27 AM

Article Id 421349

Technical Tip: Fixing the 'No key table entry found for HTTP/fortiproxy' error in Kerberos Authentication

Description


This article describes the steps needed to resolve the Kerberos authentication error, indicating 'No key table entry found for HTTP/fortiproxy'.

 

Scope


FortiGate, FortiProxy.

 

Solution


Kerberos authentication fails if the FortiGate device is unable to find the appropriate key for the required principal.

While initiating a Kerberos-authenticated connection, the WAD debug output displays the following error:

 

[p:4064][s:1824082367][r:50334565] wad_krb_err_print :70 minor error <1> No key table entry found for HTTP/fortiproxy-
test.rc2.med@AW.COM
[p:4064][s:1824082367][r:50334565] wad_negotiate_del_ctx :927 release krb nego output buffer:0
[p:4064][s:1824082367][r:50334565] wad_nego_authenticate :271 Error occurred during krb authentication.
[p:4064][s:1824082367][r:50334565] wad_http_auth_status_proc :11581 authenticate result=failure
[p:4064][s:1824082367][r:50334565] __wad_http_build_replmsg_resp :773 Generating replacement message. 407 error repmsg_id 16

 

To fix this issue, delete the current keytab on the FortiGate and create a fresh one on the server using the ktpass command.


ktpass -princ HTTP/test.rc2.med@AW.COM -mapuser <user> -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

 

Note that the username in this command represents the service account created in Active Directory, and the password corresponds to that account.

Use the command below to verify that the keytab has been imported and decoded correctly:


fnsysctl ls -la /tmp/kt

 

The FortiGate GUI might show the message ‘The keytab is not valid for the principal’, as illustrated in the image below.

newwwwwwww-1.png
Kerberos must be defined as the authentication service, and this configuration is available only through the CLI. This issue can be resolved by following the steps in Technical Tip: FortiGate explicit proxy authentication with Kerberos.

Later, the user may encounter an explicit proxy user group query failure, with the errors ‘user failed in group information query’ and ‘explicit proxy user group query failed’ appearing in the User Events logs, as shown in the screenshot below:

newwwwww-2.png
This issue can be resolved by following the steps in Technical Tip: Strip domain strings from a UPN in Kerberos.

After updating the LDAP settings, the User Events logs may show ‘Explicit proxy authentication successful’, as illustrated in the image below.

Screenshot 2025-10-09 145011.png

42
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.