FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sheikh
Staff
Staff
Article Id 249094
Description

This article describes how to enforce AES256-SHA1 in FortiGate with an explicit proxy setup.

Scope FortiGate, Windows Domain controller.
Solution

It is assumed that explicit proxy configurations are already completed in FortiGate and the domain users are able to access the Internet using proxy policies.

 

To see the step-by-step configurations of the explicit proxy, see the related articles at the end of this article.

 

This example will show how to enforce Kerberos with AES256-SHA1 as the used encryption method with explicit proxy.

 

Login to the domain controller and go to 'cmd' to generate keytab file.

 

ktpass -princ HTTP/<fortigate Hostname>@realm -mapuser <user> -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

 

Sheikh_3-1678816730432.png

 

In the above-mentioned command, a flag '-crypto all' is used, which means that, 'all' supported cryptographic types can be used.

 

It is possible to choose the following types instead of 'all' in keytab file creation.


crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}

 

 - It is possible to choose 'all' during keytab file creation, encode it to base 64 and import the file in FortiGate, then whenever the domain logged-in user tries to access the internet.

By default, FortiGate will use 'RC4-HMAC-NT' to decrypt the Kerberos keytab.

 

The granted ticket will be visible on the Windows machine to a domain user account by typing 'klist'

 

Sheikh_1-1678816207129.png

 

Note:

This is not a limitation on FortiGate, but the service account used during the creation of keytab file.

 

 - It is possible to change this behavior to use 'AES256-SHA1" encryption by enabling the following on the service account.

 

 - Login to the Domain controller and go to the properties of the service account and enable 'This account supports Kerberos AED 256 bit encryption'.

 

Sheikh_2-1678816502114.png

 

  - Once it is enabled, go back to the user machine and either type 'klist purge' to delete all issued Kerberos tickets and then, try to access any web page with 'explicit proxy' enabled or try by logout and login again with a domain user account on a Windows machine.

 

 - Now go to the 'cmd' and type 'klist' to see the Kerberos ticket encryption type.

 

Sheikh_4-1678817537625.png

 

 - It is possible to see 'AES-256' Kerberos Ticket Encryption for internet access.

 

check Microsoft documentation for 'Ktpass' for further details.

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-explicit-proxy-authentication-wi...

https://community.fortinet.com/t5/FortiProxy/Technical-Tip-Configuring-FortiProxy-Kerberos-authentic...

 

 

 

Contributors