Technical Tip: Kerberos authentication through FortiGate 'Redirected Transparent Web Proxy'

Description
This article describes FortiOS 5.6.1 and higher that support a Redirected Transparent Web Proxy (RTWP).
While it does not have as many features as Explicit Web Proxy, this feature has the advantage that a user PAC file is not needed to support web traffic over to the proxy and one can use this feature (proxy) to apply Kerberos authentication to HTTP traffic.

General transparent proxy configuration:
https://docs.fortinet.com/document/fortigate/6.4.6/administration-guide/15908/transparent-proxy

Solution
See for example these FortiGate and Web proxy settings:

# config system global
    set hostname "fgt_proxy"
end

# config system dns
    set primary 208.91.112.53
    set secondary 192.168.95.16
    set domain "forti.lab"
end

#config web-proxy global
    set proxy-fqdn "fgt_proxy.forti.lab"
end

# config firewall address
    edit "fgt_proxy_portal"
        set type fqdn
        set fqdn "fgt_proxy.forti.lab"
    next
end

Note.
Captive-portal + proxy-captive-portal must be set to support Kerberos auth.

# config system interface
    edit "port2"
        set vdom "root"
        set ip 192.168.48.1 255.255.240.0
        set allowaccess ping https ssh
        set type physical
        set explicit-web-proxy enable
        set proxy-captive-portal enable
    next
end

# config user ldap
    edit "LDAP-server"
        set server "192.168.95.16"
        set cnid "cn"
        set dn "cn=users,DC=forti,DC=lab"
        set type regular
        set username "CN=serge,CN=Users,DC=forti,DC=lab"
        set password ENC BP8/LUK0WNuu2RHxj32zVF4ga1cKt7hwSefs5rTSkK37/
    next
end

# config user krb-keytab
    edit "http_service"
        set principal "HTTP/fgt_proxy.forti.lab@FORTI.LAB"
        set ldap-server "LDAP-server"
        set keytab “QIAAABAVNlcmdlQ0FQRy5jbGZndHZtcveHkuU2”            <----- In later versions this is prepended with ENC …
    next
end

# config user group
    edit "grp1"
        set member "LDAP-server"
# config match
    edit 1
        set server-name "LDAP-server"
        set group-name "CN=Domain Users,CN=Users,DC=forti,DC=lab"
    next
end

# config firewall proxy-policy
    edit 5
        set proxy transparent-web
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set groups "grp1"
        set utm-status enable
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end

# config authentication scheme
    edit "kerberos-scheme"
        set method negotiate
        set negotiate-ntlm disable
    next
end

# config authentication rule
    edit "test"
        set srcaddr "lan"
        set ip-based disable
        set active-auth-method "kerberos-scheme"
        set web-auth-cookie enable
    next
end

Note.
Captive-portal + captive-portal-port must be set in Transparent Web-Proxy to support Kerberos auth.

# config authentication setting
    set captive-portal "fgt_proxy_portal"                    
    set captive-portal-port 9998

Note.
Captive portal FQDN should be resolved as FortiGate’s interface IP on both - the FortiGate and a Client.
So, referring to the above example, 'fgt_proxy.forti.lab' should resolve to port2’s IP address 192.168.48.1.

On FortiGate, it is possible to verify IP address for captive portal’s FQDN by using ping and/or the below debug commands:

# execute ping fgt_proxy.forti.lab
PING fgt_proxy.forti.lab (192.168.48.1): 56 data bytes
64 bytes from 192.168.48.1: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 192.168.48.1: icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from 192.168.48.1: icmp_seq=2 ttl=255 time=0.0 ms
64 bytes from 192.168.48.1: icmp_seq=3 ttl=255 time=0.0 ms
64 bytes from 192.168.48.1: icmp_seq=4 ttl=255 time=0.0 ms

--- fgt_proxy.forti.lab ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.1 ms

# diagnose debug enable
# diagnose test application wad 2200
    Set diagnosis process: type=worker index=0 pid=183
 
# diagnose test application wad 106
     vd 0 domain fgt_proxy.forti.lab resolved to 1 IP
        192.168.48.1  

Regular firewall policy configuration is different for different FortiOS versions:

5.6 – 6.0.

# config firewall policy
    edit 1
        set name "Internet Access"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "Web Access"
        set utm-status enable
        set profile-protocol-options "WEB-PROXY"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable

# config firewall profile-protocol-options
    edit "WEB-PROXY"
# config http
    set ports 80 8080
    unset options
    set http-policy enable 
    unset post-lang
next
end

6.2 and later.

# config firewall policy
    edit 1
        set name "Internet Access"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "Web Access"
        set inspection-mode proxy
        set http-policy-redirect enable                               <----- Moved from the profile-protocol-options.
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

The client PC should have a 'klist' CLI output that contains a few tickets - one should be there for HTTP/fgt_proxy.forti.lab @ FORTI.LAB, which is for the FortiGate in question.