Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
js2
Staff
Staff

Created on ‎04-28-2023 07:54 AM Edited on ‎04-03-2025 12:12 AM By Community Manager

Article Id 254476

Technical Tip: Kerberos authentication not working for proxies

Description

 

This article describes an error that occurs when using Kerberos authentication with explicit web proxies on the FortiGate/FortiProxy.

 

Scope

 

Explicit Web Proxy, FortiGate/FortiProxy

 

Solution

 

Reviewing WAD debug logs may reveal that the FortiGate is sending an HTTP 407 'Proxy Authentication Required' error and the user responding with the Kerberos ticket. However, the authentication fails with an error in the WAD debugs stating 'Error occurred during krb authentication'.

 

Use the following command to obtain WAD debug logs for authentication:

 

diagnose wad filter process-id-by-src <IP_address_of_client>

diagnose wad debug enable level verbose
diagnose wad debug enable category auth

diagnose wad debug enable category http

diagnose debug console timestamp enable

diagnose debug enable


2022-05-05 15:54:59.768448 wad_fast_match_is_enable(3441): fast matching is disabled
2022-05-05 15:54:59.768459 wad_inet_match_svc_id(558): inet app_id=393320, country_id=380, region=1073, city=15220
2022-05-05 15:54:59.768479 wad_vwl_has_intf(288): logic/phyical if_idx(57/57),matched=1
2022-05-05 15:54:59.768482 wad_http_request_get_user(25396): process=28708 auth-rule=P_AuthProxyRules user=/0/0 ip-based/auth-cookie/transact=1/0/0 tp_proxy_auth=0 auth_req=0x7ff3fb662160 auth_line=0x7ff3faf66030
2022-05-05 15:54:59.768485 wad_hauth_method_chg_get(1476): method:http-mix->Negotiate hdr=Neg
2022-05-05 15:54:59.768505 wad_krb_get_keytab(617): ticket's princ name:HTTP/kerberos.example.lan@EXAMPLE.LAN
2022-05-05 15:54:59.768507 wad_nego_authenticate(266): Error occurred during krb authentication. <----------
2022-05-05 15:54:59.768508 wad_http_auth_status_proc(24891): authenticate result=failure
2022-05-05 15:54:59.768509 __wad_http_build_replmsg_resp(18515): Generating replacement message. 407 error repmsg_id 14

 

To solve this issue, ensure the correct password is set under config user krb-keytab. Afterwards, generate and re-import the keytab to the FortiGate/FortiProxy.

 

Note:

The wad filter process-id-by-src option was introduced in FortiProxy v7.0.13, v7.2.7, v7.4.1, and it will be added to the FortiGate in the upcoming v7.6.3. This option notably enhances the WAD filtering process by first filtering by the Source IP of a client connection and then further filtering based on the specific WAD worker process that is handling that traffic (which helps to reduce excess debug output).

3596
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.