Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mriha
Staff
Staff

Created on ‎01-02-2026 05:04 AM

Article Id 422317

Troubleshooting Tip: Decode Kerberos Authentication Service Request (AP_REQ) on FortiOS with Wireshark

Description This article describes how to troubleshoot an AP_REQ by decoding it.
Scope FortiOS.
Solution

When Kerberos authentication is configured in an explicit proxy on FortiOS and a client received a Service Ticket from Ticket Granting Server, the client sends the Service ticket (encrypted by Service Secret Key - keytab) along with User Authenticator (encrypted by Service Session Key) to the Service (in this case explicit proxy). The proxy decodes the Service Ticket by a keytab (imported previously from AD, for example via ktpass command). After decryption of the Service Ticket, it is possible to read mostly the following Service Ticket attributes:

  • Username/ID
  • Service Name/ID
  • Timestamp
  • User IP address
  • Lifetime of Service Ticket
  • Service Session Key

Service Session Key is then used to decrypt the User Authenticator message, which mostly contains:

  • Username/ID
  • Timestamp

 

The decryption can be done in Wireshark by following the steps below:

 

  1. Get the keytab from a server, which is imported in FortiGate, and save it to a file
  2. Run a packet capture and capture traffic between the client and FortiGate
  3. Identify the corresponding CONNECT request that does contain the Authentication Service Request (AP_REQ)

     

 

CONNECT www.fortinet.com:443 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0

Proxy-Connection: keep-alive

Connection: keep-alive

Host: www.fortinet.com:443

Proxy-Authorization: Negotiate YIIHMQYGKwYBBQUCoIIHJTCCByGgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCN

wICHgYKKwYBBAGCNwICCqKCBusEg

gbnYIIG4wYJKoZIhvcSAQICAQBuggbSMIIGzqADAgEFoQMCAQ6iBwMFACAAAACjggUKYYIFBjCCBQKgAwIBBaEOGwxJTlRFUk5BTC5MQ

UKiIzAhoAMCAQKhGjAYGwRIVFRQGxBmZ3QuaW50ZXJuYWwubGFio4IExDCCBMCgAwIBF6EDAgEIooIEsgSCBK62wA5g9ECZAFy7WBTKG

ZdqwjxPzb2IKOVaHrNXT34/xur0husDYhyePFmrPTDvGhWu11MO37ICXHPhHIy8hjNDahvmU+8O0VgSFWoBfJbpcgsLAhQrI8WD1xZfz

OPgv74CYZ3Vohj4/4cCLUvrLpJPXWfDBn6kNrmtnDg8hsEjLLAYmjTTchJRx0G+wNPBZ5w/CE/A6A3H7ui8fHlTLVdf4lCmTU2uXjXU7

J9xW/JJaxwJeD+BthnvpizOv+p0WfyyKuZp7jivBewa9Z1CRnj8Dak1jW+a+wLsOXs33myPtI6Mlk6pLw2lr4QGyKnoQENcGRTZPiK/s

mcYrO2kmkRS9yLu22iZ2RyZ/ozrVV/90NmlVxRz4oD4+GAiTVTbanYH6fSZOhwvSM10MlA4sQUWcRAF5PWirzbfwzPf8NuJH9fz2ckSB

ijb4ICo1QKI+USJAHnGHEqzkQDkGMeMhMZLKRMAdnoJKZPEWs763L9bCXzKeXuHQ67bzuEsVL14ri5n01uAJwcaIxoHog57cKzZF0j2C

1izZdLtMGZAq6nlIOdxClSOQmnmOcRZm+OkFqIEAmatDyyg1skvnYHNhHtj/Uh7ieAipHi/5QlTXCYh4HbIyXhGeaP73nkgRHqV605gH

gTei0zOj5eHC7+JTo/JR0+azCz1SvWpxsIgYxvAncK06t+qeTRnpjXujlW3xyahkYFqyuwkX189Hub0PnYV0NCRioLK2hWug+lqc/isi

49gbRKUG8r2yUBfECX2dWM9lEwId1q8EGdL03fd0QTP/0KfwwtH6pWaFc/4kut+ufeiRBOPKOMhltscIPJE26mmIJpqSQ7Wto6fg7XG8

BG/lkpCnfj9LQYNLlzigz6GUZ9UtOW/r+279NQ1c5OLbSiU80AVEMK4Bos11CugSBQZS5I9q+IJ1ygmjsNSDAoUvUQCc3JHL89X7PAo8

xyWQI2xOTIAoaZbTr9MsdqQIXtqR4agc+KbFDlf/JlZE3w0YoQfdIhUb9O8GQ3eTa6Ah4Yk0J1ibnVN8Sqs/KhY0L6hTYiL/A4jtLbwz

3CJKsIqYI4wR1I95rvUftAImEpceLXBCTm8kPckg0L31O6kpN1B8EBBP6wxf//hAmI9fO9swwZPvMjmLFPsjRpMkDOJpogCOirZpIvYd

th6PqZlSsF2Rbqb+2Q3/adYJBYhUlveB46tnHZz/Q8X8VdgzofQmqEJnmtvEAeAPjDPpuhznbjHjcDTBirT7nFzhWk/xUeeWQWb7QkqU

EbmMjSmJWGCbVIB7i8HmWqMirEkCN0ukcln1uolrAdw6EjuvchSIqGLYjwAL/+G/bu5OK1igqhGp1XP5Ipr5p0tEi7TZZlCG76XhvuDOm

VhJOm**bleep**8MpSNlT03BUbW9HThqGHvnX7MpPIewm4AEKgtdsDs44HwKlmon

XauqXAdTfQLRV31hLbCdFFAXARAdXT8b0nzON4cfrvtPjj5NUb4P0TQTWy5xpcUJZuzNF2h5WdXk2UUJ7A6gHR96NF0D9sm5k3dnytfYT

2wPTuO8Hlzirnp3S8flG0FRsc5YzB5j9vhSYMmE4Xd9on5OqoPIBvATjiJ1/E7jpIIBqTCCAaWgAwIBEqKCAZwEggGY1YQy5cJXrSx2K+

Ki4u0J9IGra3Rif5IbAfVrw5l6t4/vMTs4qaGfsbqk9J0BdHB7ahzdLSm6ViUWsahphbvBiwloXTYm84P9pDJMWpayvkCfcHCbMnqZk/ynb6cTlTmrGFafFVtIh25e+3rgwI8loUH+4DcQjE1PcVnTtJC0B6PV27Ue3KIDqbuQDpSB+CyHVk5wlEXxMXIoLq5JLpE/5Irc+rtj8FD

tvLIAErLbx9dDRVnm7zGCHBDUH6oAcK2+bitd6wX2DlgAd5fuLd501MOXAkp6AJj0R7DGFkg/YHXVLcBS4ZA9s9HMJ/rgZUA1VjGxg2/q07Ui2vztXkruDKRgplhF0myWKk6O5qIFy66XqYGI6S4ZF0PWLLQcLcsc7Ho5947+4Iqf/+eqABffGG5nxsNoPpjqzAKtvuP0SQe6SP4Viy/sappZZdOi354scXR1jyKzap7p1+oLz4NnVgRbG6M9OgSvi+hT1bSZVPfQQlgfhPnkun0L2wbWlFDcqMM8vKnVDH1lGixt6wC7D8P7obEh/112

 

  1. Navigate to Edit -> Preferences -> Protocols -> KRB5; enable 'Try to decrypt Kerberos blobs' and select the keytab file.

If applied correctly, the Authentication Service Request is decoded and can be further inspected.

 

krb.png
29
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.