Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sheikh
Staff
Staff

Created on ‎03-14-2023 10:43 PM Edited on ‎07-03-2024 07:51 AM By Moderator

Article Id 249094

Technical Tip: How to enforce Kerberos keytab with AES256-SHA1 as the used encryption method with Explicit Proxy

Description

This article describes how to enforce AES256-SHA1 in FortiGate with an explicit proxy setup.
Scope FortiGate, Windows Domain controller.
Solution

It is assumed that explicit proxy configurations are already completed in FortiGate and the domain users can access the Internet using proxy policies.

 

To see the step-by-step configurations of the explicit proxy, see the related articles at the end of this article.

 

This example will show how to enforce Kerberos with AES256-SHA1 as the used encryption method with explicit proxy.

 

Login to the domain controller and go to 'cmd' to generate a keytab file.

 

ktpass -princ HTTP/<fortigate Hostname>@realm -mapuser <user> -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

 

Sheikh_3-1678816730432.png

 

In the above-mentioned command, a flag '-crypto all' is used, which means that, 'all' supported cryptographic types can be used.

 

It is possible to choose the following types instead of 'all' in keytab file creation.


Crypto: {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}.

 

  • It is possible to choose 'all' during keytab file creation, encode it to base 64, and import the file in FortiGate, then whenever the domain logged-in user tries to access the internet.

By default, FortiGate will use 'RC4-HMAC-NT' to decrypt the Kerberos keytab.

 

The granted ticket will be visible on the Windows machine to a domain user account by typing 'klist'.

 

Sheikh_1-1678816207129.png

 

Note 1:

This is not a limitation on FortiGate, but the service account used during the creation of keytab file.

 

  • It is possible to change this behavior to use 'AES256-SHA1" encryption by enabling the following on the service account.

 

  • Login to the Domain controller, go to the properties of the service account, and enable 'This account supports Kerberos AED 256 bit encryption'.

 

Sheikh_2-1678816502114.png

 

  • Once it is enabled, go back to the user machine and either type 'klist purge' to delete all issued Kerberos tickets and then, try to access any web page with 'explicit proxy' enabled or try by logout and login again with a domain user account on a Windows machine.

 

  • Now go to the 'cmd' and type 'klist' to see the Kerberos ticket encryption type.

 

Sheikh_4-1678817537625.png

 

  • It is possible to see 'AES-256' Kerberos Ticket Encryption for internet access.

Check Microsoft documentation for 'Ktpass' for further details.

 

Note 2:
In case the service account option to support the AES-256 algorithm is not enabled and the keytab file is generated with -crypto AES256-SHA1.
The authentication will fail with WAD debug message 'No key table entry found'.

 

Ensure that the keytab crypto option matches the option enabled in the Active Directory Service Account.

 

Related articles:

Technical Tip: FortiGate explicit proxy authentication with Kerberos

Technical Tip: Configuring FortiProxy Kerberos authentication for explicit proxy

 

4599
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.