Created on 04-02-2019 01:09 AM Edited on 11-17-2022 07:11 AM By Jean-Philippe_P
Description
This article describes how to strip domain strings from an User Principal Name (UPN) while the user authenticates to the FortiGate/FortiProxy via Kerberos authentication.
When Kerberos authentication is requested by the client, the client adds the domain name along with the username i.e user@domain while the user authenticates.
In some cases, it is required to strip a domain string from the UPN to successfully authenticate the user.
Such cases can be identified when the FortiGate/FortiProxy shows the error message 'group information query failed'.
'user1@fortilab.loc' will be searched for; while LDAP has no such value stored, but 'user1' is without the domain string.
Solution
Kerberos authentication in explicit and transparent proxy can be configured by referring to the related article.
To resolve this, configure the following CLI settings under the LDAP server instance to strip the domain string from the username:
A) in FortiOS 5.6-6.0
account-key-processing {same | strip}
account-key-name {userPrincipalName | sAMAccountName}
From CLI.
# config user ldap
edit "ldap"
set server "10.10.10.100"
set cnid "cn"
set dn "dc=example,dc=com"
set type regular
set username <username>
set password <password>
set password-expiry-warning enable
set password-renewal disable
set account-key-processing strip <-----
set account-key-name "sAMAccountName" <-----
next
end
B) in FortiOS 6.2+/ FortiProxy
account-key-processing {same | strip}
account-key-filter {AD_filter}
From CLI.
# config user ldap
edit "ldap"
set server "10.10.10.100"
set cnid "cn"
set dn "dc=example,dc=com"
set type regular
set username <username>
set password <password>
set password-expiry-warning enable
set password-renewal disable
set account-key-processing strip <-----
set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" <-----
next
end
Active Directory prerequisite for domain stripping to work:
UserPrincipalName username without the domain suffix MUST be identical to the sAMAccountName username!
The following sniffer captures show:
- The FortiGate/FortiProxy traffic towards the LDAP server with above settings enabled, where the domain string has been stripped from the UPN:
2019-03-28 16:32:16.002217 port1 out 10.10.10.254.22511 -> 10.10.10.100.389: psh 789410175 ack 1878386003
0x0000 0000 0000 0000 0041 6c7a 0f02 0800 4500 .......Alz....E.
0x0010 00b1 919d 4000 4006 90eb 0a97 012d 0a97 ....@.@......-..
0x0020 0164 57ef 0185 2f0d 717f 6ff5 e553 8018 .dW.../.q.o..S..
0x0030 000b 222c 0000 0101 080a 0229 e0d5 0b34 ..",.......)...4
0x0040 7699 307b 0201 0263 7604 1164 633d 6b6c v.0{...cv..dc=ex
0x0050 7461 632c 6463 3d6c 6f63 616c 0a01 020a ample,dc=com……..
0x0060 0100 0201 0002 0100 0101 ffa0 4ba3 1604 ............K...
0x0070 0d73 414d 4163 6f75 6e74 4e61 6d65 0405 .sAMAccountName.
0x0080 7573 6572 32a2 31a9 2f81 1631 2e32 2e38 user1.1./..1.2.8
0x0090 3430 2e31 3133 3535 362e 312e 342e 3830 40.113556.1.4.80
0x00a0 3382 1255 7365 7241 6363 6f75 6e74 436f 3..UserAccountCo
0x00b0 6e74 726f 6c83 0132 3005 0403 312e 31 ntrol..20...1.1
- An User search request from FortiGate/FortiProxy to LDAP server with the following default setting where the domain string with username can be seen.
account-key-processing same
account-key-name userPrincipalName
2019-03-28 16:37:26.425999 port1 out 10.10.10.254.22545 -> 10.10.10.100.389: psh 2791024640 ack 3639226358
0x0000 0000 0000 0000 0041 6c7a 0f02 0800 4500 .......Alz....E.
0x0010 00c3 fde2 4000 4006 2494 0a97 012d 0a97 ....@.@.$....-..
0x0020 0164 5811 0185 a65b a800 d8ea 2ff6 8018 .dX....[..../...
0x0030 000b 7b31 0000 0101 080a 022a 5a11 0b39 ..{1.......*Z..9
0x0040 332f 3081 8c02 0102 6381 8604 1164 633d 3/0.....c....dc=
0x0050 6b6c 7461 632c 6463 3d6c 6f63 616c 0a01 example,dc=com..
0x0060 020a 0100 0201 0002 0100 0101 ffa0 5ba3 ..............[.
0x0070 2604 1175 7365 7250 7269 6e63 6970 616c &..userPrincipal
0x0080 4e61 6d65 0411 7573 6572 3240 4b4c 5441 Name..user1@forti
0x0090 432e 4c4f 4341 4ca2 31a9 2f81 1631 2e32 lab.loc.1./..1.2
0x00a0 2e38 3430 2e31 3133 3535 362e 312e 342e .840.113556.1.4.
0x00b0 3830 3382 1255 7365 7241 6363 6f75 6e74 803..UserAccount
0x00c0 436f 6e74 726f 6c83 0132 3005 0403 312e Control..20...1.
0x00d0 31 1
Related Articles
Technical Tip : Configuring FortiProxy Kerberos authentication for explicit proxy
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.