Kerberos authentication fails when it cannot locate the correct key for the principal in the FortiGate device.

When attempting to connect via Kerberos Authentication, collecting the WAD debug generates the following error:

[I][p:221][s:1956622081][r:16777808] wad_krb_err_print :46 Error returned by gss_accept_sec_con
text: major:d0000 Hex minor:100005 Dec
[I][p:221][s:1956622081][r:16777808] wad_krb_err_print :57 major error <1> Unspecified GSS fail
ure. Minor code may provide more information
[I][p:221][s:1956622081][r:16777808] wad_krb_err_print :70 minor error <1> Cannot find key for
HTTP/fortigate2K.abc.com@ABC.COM kvno 11 in keytab (request ticket server HTTP/fortigate2K.abc.com@ABC.COM)
[I][p:221][s:1956622081][r:16777808] wad_negotiate_del_ctx :925 release krb nego output buffer:0
[E][p:221][s:1956622081][r:16777808] wad_nego_authenticate :269 Error occurred during krb authentica
tion.

[I][p:221][s:1956622081][r:16777808] wad_http_auth_status_proc :9968 authenticate result=failure

To resolve this issue, remove the existing keytab from the FortiGate and generate a new one on the server using the ktpass command:

ktpass -princ HTTP/fortigate2K.abc.com@ABC.COM -mapuser <user> -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fgt.keytab

Note that the user in the above command is the service account created in the AD and the password is the password for the service account.

To check if the keytab is successfully imported and decoded, use the below command:

fnsysctl ls -la /tmp/kt

Make sure the principal entered in the config user krb-keytab section exactly matches the one used in the ktpass command when generating the keytab file. Ensure that the base64-encoded keytab file on the server is merged into a single continuous line else the import to FortiGate will not be successful.

Before retrying, purge the klist on the end user machine by using the following command:

klist purge

After, clear the user's browser cache and cookies.