Description |
This article describes how to enforce AES256-SHA1 in FortiGate with an explicit proxy setup. |
Scope | FortiGate, Windows Domain controller. |
Solution |
It is assumed that explicit proxy configurations are already completed in FortiGate and the domain users are able to access the Internet using proxy policies.
To see the step-by-step configurations of the explicit proxy, see the related articles at the end of this article.
This example will show how to enforce Kerberos with AES256-SHA1 as the used encryption method with explicit proxy.
Login to the domain controller and go to 'cmd' to generate keytab file.
ktpass -princ HTTP/<fortigate Hostname>@realm -mapuser <user> -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab
In the above-mentioned command, a flag '-crypto all' is used, which means that, 'all' supported cryptographic types can be used.
It is possible to choose the following types instead of 'all' in keytab file creation.
- It is possible to choose 'all' during keytab file creation, encode it to base 64 and import the file in FortiGate, then whenever the domain logged-in user tries to access the internet. By default, FortiGate will use 'RC4-HMAC-NT' to decrypt the Kerberos keytab.
The granted ticket will be visible on the Windows machine to a domain user account by typing 'klist'
Note: This is not a limitation on FortiGate, but the service account used during the creation of keytab file.
- It is possible to change this behavior to use 'AES256-SHA1" encryption by enabling the following on the service account.
- Login to the Domain controller and go to the properties of the service account and enable 'This account supports Kerberos AED 256 bit encryption'.
- Once it is enabled, go back to the user machine and either type 'klist purge' to delete all issued Kerberos tickets and then, try to access any web page with 'explicit proxy' enabled or try by logout and login again with a domain user account on a Windows machine.
- Now go to the 'cmd' and type 'klist' to see the Kerberos ticket encryption type.
- It is possible to see 'AES-256' Kerberos Ticket Encryption for internet access.
check Microsoft documentation for 'Ktpass' for further details.
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.