This article explains the problem when exporting full config using 'show full' CLI command does not include the hidden password field in the Kerberos key tab setting, which is used to encrypt and decrypt key tab.

Below is the output command from 'show full”'in CLI:

3KD_KRB (root) # show full-configuration user krb-keytab

    config user krb-keytab

        edit "proxy_service"

            set pac-data disable

            set principal "HTTP/fgtproxy.syd.fortilabapac.lab@SYD.FORTILABAPAC.LAB"

            set ldap-server "AD"

            set keytab "ENC HLoYVfTu++vvtDCZA7Ee2flNurEbqF1PMdZStWnDguf9rW6JVDKrac+N2zRKq4V”

        next

    end

Compare this to actual config backup from GUI or using 'exec backup' CLI command:

config user krb-keytab

    edit "proxy_service"

        set pac-data disable

        set principal "HTTP/fgtproxy.syd.fortilabapac.lab@SYD.FORTILABAPAC.LAB"

        set ldap-server "AD"

        set keytab "ENC HLoYVfTu++vvtDCZA7Ee2flNurEbqF1PMdZStWnDguf9rW6JVDKrac+N2zRKq4V”

        set password ENC N6Srnr9VSx8hwVM6OZnScZasSCLRrtW4AtcrQZHtEo

    next

end

The password is system generated to be used by FortiOS in order to encrypt and decrypt key tab (no user intervention require).

Always backup using Admin GUI or 'exe backup' CLI command.