Description
This article describes an error that occurs during Kerberos authentication with proxies and offers a solution.
Scope
FortiGate explicit proxy and FortiProxy.
Solution
Reviewing WAD debug logs may reveal that the FortiGate is sending an HTTP 407 proxy authentication needed error and the client responds with the Kerberos ticket. However, the authentication fails with an error.
Use the following command to get debug logs for authentication:
# diagnose wad debug enable level verbose
# diagnose wad debug enable category auth
# diagnose debug enable
2022-05-05 15:54:59.768448 wad_fast_match_is_enable(3441): fast matching is disabled
2022-05-05 15:54:59.768459 wad_inet_match_svc_id(558): inet app_id=393320, country_id=380, region=1073, city=15220
2022-05-05 15:54:59.768479 wad_vwl_has_intf(288): logic/phyical if_idx(57/57),matched=1
2022-05-05 15:54:59.768482 wad_http_request_get_user(25396): process=28708 auth-rule=P_AuthProxyRules user=/0/0 ip-based/auth-cookie/transact=1/0/0 tp_proxy_auth=0 auth_req=0x7ff3fb662160 auth_line=0x7ff3faf66030
2022-05-05 15:54:59.768485 wad_hauth_method_chg_get(1476): method:http-mix->Negotiate hdr=Neg
2022-05-05 15:54:59.768505 wad_krb_get_keytab(617): ticket's princ name:HTTP/ithq01proxyfgt2.bonatti.lan@BONATTI.LAN
2022-05-05 15:54:59.768507 wad_nego_authenticate(266): Error occurred during krb authentication. -------------------------->
2022-05-05 15:54:59.768508 wad_http_auth_status_proc(24891): authenticate result=failure
2022-05-05 15:54:59.768509 __wad_http_build_replmsg_resp(18515): Generating replacement message. 407 error repmsg_id 14
To solve this, ensure the correct password is set under 'config user krb-keytab'. After, generate and re-import the keytab in FortiGate/FortiProxy.
