FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadzada
Staff
Staff
Description This article describes how to force Kerberos authentication on Fortigate running as a proxy(Explicit/Transparent).
Scope

This article does not cover all the steps on how to configure the proxy and authentication.

This article assumes that the Proxy and authentication are already configured and Kerberos authentication has to be forced by FortiGate

Solution

To force the Kerberos authentication several conditions have to be met:

 

1) On the proxy client:

 

- By default, Windows will not attempt Kerberos authentication if the proxy server hostname is configured as an IP address.

It will fall back to other enabled authentication protocols like NTLM.

 

Make sure that the proxy server address on the client is configured as the hostname, which is defined as FQDN. In our case it is: fgt.test.lab.

 

The proxy client will use that FQDN as the Service Principal Name to trigger the Kerberos authentication.

  

A Service Principal Name is a unique identifier used during Kerberos authentication to identify a service on the network.

 In our case, the service on the network is the Fortigate acting as a web proxy.

 

 aahmadzada_0-1649404630470.png

 

- The proxy client has to be able to resolve the FQDN of the proxy server as the IP address of the interface, where the Fortigate is expecting connections from the proxy clients.

 

2) On the FortiGate:

 

# config system global
    set hostname "fgt"
end

 

# config system dns
    set primary 10.0.0.10
    set secondary 10.0.0.11
    set domain "test.lab"
end

 

# config web-proxy global
    set proxy-fqdn "fgt.test.lab"
end

 

# config system interface
    edit "port2"
        set vdom "root"
        set ip 192.168.100.1 255.255.255.0
        set allowaccess ping https ssh
        set type physical
        set explicit-web-proxy enable
    next
end

 

# config authentication scheme
    edit "kerberos-scheme"
        set method negotiate <----- FortiGate does not have Kerberos method.
        set negotiate-ntlm disable <----- NTLM negotiation has to be disabled.
    next
end

 

# config authentication rule
    edit "rule1"
        set srcaddr "users"
        set ip-based disable
        set active-auth-method "kerberos-scheme"
    next
end

 

Note.

FortiGate does not have the Kerberos method, it is selected during the authentication negotiation between the proxy and the client.

To make sure that FortiGate will trigger the Kerberos authentication, NTLM negotiation also has to be disabled.

 

3) The DNS server, that is used by the proxy clients to resolve the hostnames has to have an A record for the FQDN of the Proxy server.

 

Meaning that the proxy clients have to be able to resolve FQDN fgt.test.lab as 192.168.100.1.

Contributors