Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎09-21-2021 09:25 AM Edited on ‎07-29-2025 06:50 AM By Staff & Editor

Article Id 191852

Troubleshooting Tip: Kerberos proxy-authentication and group lookup

Description


This article describes two possible sources of group information with an explicit proxy setup and Kerberos authentication, and possible issues that may arise from this.

 

Scope

 

FortiGate.


Solution


FortiGate and FortiProxy support Kerberos authentication for explicit proxy connections.

This includes gathering information about user groups to match individual users to the appropriate policies.
Under some circumstances, FortiGate/FortiProxy might show an unexpected user group or not perform a proper lookup against LDAP when one is expected.

 

Proxy users may show with only one group in the authenticated user list, their primary group as defined on LDAP/Active Directory.

 

diagnose wad user list

 

FortiGate may miss any other group memberships, even if those are used in policies with higher priority, causing users to match unexpected policies.

This may be caused by the pac-data setting:

 

config user krb-keytab
    set pac-data enable
end

 

This setting allows FortiProxy/FortiGate to draw additional information (including group information) from the Kerberos tickets involved in authentication.
This causes it to NOT perform an actual lookup against LDAP, which means group membership information may be missed if not included in the Kerberos ticket.

WAD debug can help pinpoint this.

 

diagnose wad filter src <IP address>
diagnose wad debug enable cat auth
diagnose wad debug enable cat policy
diagnose wad debug enable level verbose
diagnose debug enable

 

To stop debugging:

 

diagnose debug disable

diagnose debug reset

 

WAD debug will NOT show an actual group lookup against LDAP; it will instead show users matching a cached group. This will still be the case if the group cache is disabled:

 

config web-proxy global
    set ldap-user-cache disable
end

 

This is a strong indicator that the pac-data setting is used and responsible for mismatches: If the WAD debug still shows users matching against cached results, even with the group cache disabled and the service restarted.

 

Related articles:

Technical Tip: FortiGate explicit proxy authentication with Kerberos 

Technical Tip: Configuring FortiProxy Kerberos authentication for explicit proxy 

11891
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.