FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 198782

Description

 

This article describes how to strip domain strings from an User Principal Name (UPN) while the user authenticates to the FortiGate/FortiProxy via Kerberos authentication.


When Kerberos authentication is requested by the client, the client adds the domain name along with the username i.e user@domain while the user authenticates.


In some cases, it is required to strip a domain string from the UPN to successfully authenticate the user.

Such cases can be identified when the FortiGate/FortiProxy shows the error message 'group information query failed'.


'user1@fortilab.loc' will be searched for; while LDAP has no such value stored, but 'user1' is without the domain string.

Solution

 

Kerberos authentication in explicit and transparent proxy can be configured by referring to the related article.

To resolve this, configure the following CLI settings under the LDAP server instance to strip the domain string from the username:


A) in FortiOS 5.6-6.0 

 

account-key-processing {same | strip}
account-key-name       {userPrincipalName | sAMAccountName}

 

From CLI.

 

# config user ldap
    edit "ldap"
        set server "10.10.10.100"
        set cnid "cn"
        set dn "dc=example,dc=com"
        set type regular
        set username <username>
        set password <password>
        set password-expiry-warning enable
        set password-renewal disable
        set account-key-processing strip        <-----
        set account-key-name "sAMAccountName"   <-----
    next
end

 

B) in FortiOS 6.2+/ FortiProxy

 

account-key-processing {same | strip}
account-key-filter       {AD_filter}

 

From CLI.

 

# config user ldap
    edit "ldap"
        set server "10.10.10.100"
        set cnid "cn"
        set dn "dc=example,dc=com"
        set type regular
        set username <username>
        set password <password>
        set password-expiry-warning enable
        set password-renewal disable
        set account-key-processing strip        <-----
        set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"   <-----
    next
end

 

Active Directory prerequisite for domain stripping to work:
UserPrincipalName username without the domain suffix MUST be identical to the sAMAccountName username!

The following sniffer captures show:


- The FortiGate/FortiProxy traffic towards the LDAP server with above settings enabled, where the domain string has been stripped from the UPN:

 

2019-03-28 16:32:16.002217 port1 out 10.10.10.254.22511 -> 10.10.10.100.389: psh 789410175 ack 1878386003
0x0000   0000 0000 0000 0041 6c7a 0f02 0800 4500        .......Alz....E.
0x0010   00b1 919d 4000 4006 90eb 0a97 012d 0a97        ....@.@......-..
0x0020   0164 57ef 0185 2f0d 717f 6ff5 e553 8018        .dW.../.q.o..S..
0x0030   000b 222c 0000 0101 080a 0229 e0d5 0b34        ..",.......)...4
0x0040   7699 307b 0201 0263 7604 1164 633d 6b6c        v.0{...cv..dc=ex
0x0050   7461 632c 6463 3d6c 6f63 616c 0a01 020a        ample,dc=com……..
0x0060   0100 0201 0002 0100 0101 ffa0 4ba3 1604        ............K...
0x0070   0d73 414d 4163 6f75 6e74 4e61 6d65 0405        .sAMAccountName.
0x0080   7573 6572 32a2 31a9 2f81 1631 2e32 2e38        user1.1./..1.2.8
0x0090   3430 2e31 3133 3535 362e 312e 342e 3830        40.113556.1.4.80
0x00a0   3382 1255 7365 7241 6363 6f75 6e74 436f        3..UserAccountCo
0x00b0   6e74 726f 6c83 0132 3005 0403 312e 31          ntrol..20...1.1

 

- An User search request from FortiGate/FortiProxy to LDAP server with the following default setting where the domain string with username can be seen.

 

account-key-processing   same
account-key-name         userPrincipalName

2019-03-28 16:37:26.425999 port1 out 10.10.10.254.22545 -> 10.10.10.100.389: psh 2791024640 ack 3639226358
0x0000   0000 0000 0000 0041 6c7a 0f02 0800 4500        .......Alz....E.
0x0010   00c3 fde2 4000 4006 2494 0a97 012d 0a97        ....@.@.$....-..
0x0020   0164 5811 0185 a65b a800 d8ea 2ff6 8018        .dX....[..../...
0x0030   000b 7b31 0000 0101 080a 022a 5a11 0b39        ..{1.......*Z..9
0x0040   332f 3081 8c02 0102 6381 8604 1164 633d        3/0.....c....dc=
0x0050   6b6c 7461 632c 6463 3d6c 6f63 616c 0a01        example,dc=com..
0x0060   020a 0100 0201 0002 0100 0101 ffa0 5ba3        ..............[.
0x0070   2604 1175 7365 7250 7269 6e63 6970 616c        &..userPrincipal
0x0080   4e61 6d65 0411 7573 6572 3240 4b4c 5441        Name..user1@forti
0x0090   432e 4c4f 4341 4ca2 31a9 2f81 1631 2e32        lab.loc.1./..1.2
0x00a0   2e38 3430 2e31 3133 3535 362e 312e 342e        .840.113556.1.4.
0x00b0   3830 3382 1255 7365 7241 6363 6f75 6e74        803..UserAccount
0x00c0   436f 6e74 726f 6c83 0132 3005 0403 312e        Control..20...1.
0x00d0   31                                             1

 

Related Articles

Technical Tip : Configuring FortiProxy Kerberos authentication for explicit proxy