Refer to this KB article to set Kerberos in FortiProxy:Technical Tip: Configuring FortiProxy Kerberos authentication for explicit proxy

There are several additional steps/data to be included:

When encode the keytab, it is possible to use the Windows server to do the encoding:

certutil -encode <keytab> <encode-file-name>

For example:

C:\Users\Administrator>certutil -encode fpxkvm.keytab fpxkvm-base64

Open the encoded output using txt editor to retrieve the content.

For a multidomain, it is necessary to have 2 different LDAP servers.

When setup an LDAP server object in FortiProxy, it is necessary to define 'group-search-base'(via CLI only).

Note:

There has been a behavior change between v 7.2 and 7.0. If the 'group-search-base' is not configured in v7.0, the 'User membership query' in the LDAP query could still work and group information could be retrieved with this method.

But after v7.2, if this option is not configured, FortiGate will not do any 'User membership query' but only ‘attribute query’ and 'Primary group query'. For those LDAP groups that require a 'User membership query', they will be missing in the LDAP response.  It is important to define the 'group-search-base'.

config user ldap
    edit "Kerberos-LDAP-Bezza"
        set server "x.x.x.x"
        set cnid "sAMAccountName"
        set dn "dc=bezza-kvm53,dc=local"
        set type regular
        set username "CN=administrator,CN=Users,DC=bezza-kvm53,DC=local"
        set password <password>
        set group-search-base "dc=bezza-kvm53,dc=local" <-----
    next
        edit "Kerberos-LDAP-Kancil"
            set server "y.y.y.y"
            set cnid "sAMAccountName"
            set dn "dc=kancil-kvm07,dc=local"
            set type regular
            set username "CN=Administrator,CN=Users,DC=kancil-kvm07,DC=local"
            set password <password>
            set group-search-base "dc=kancil-kvm07,dc=local" <-----
        next
    end

Create a Kerberos object in FortiProxy. Include both LDAP servers in the Kerberos setting.

config user krb-keytab
    edit "1"
        set principal "<FPX_principal_name>"
        set ldap-server "Kerberos-LDAP-Bezza" "Kerberos-LDAP-Kancil" <----- LDAP server.
        set keytab <encoded-keytab>
    next
end

For the user group, make sure the user group is associated with the same LDAP server.

config user group
    edit "Kerberos-Bezza-user-group"
        set member "Kerberos-LDAP-Bezza" <----- LDAP server.
config match
    edit 1
        set server-name "Kerberos-LDAP-Bezza" <----- LDAP server.
        set group-name "CN=Domain Users,CN=Users,DC=bezza-kvm53,DC=local"
    next
end

The policy:

# config firewall policy
    edit 3
        set type explicit-web
        set name "Kerberos-Auth-Policy"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set groups "Kerberos-Bezza-user-group" "Kerberos-Kancil-user-group" <----- Both user group.
    next
end

Result:

dia wad user list
ID: 43, VDOM: root, IPv4: 10.207.1.46
user name : testkancil
worker : 0
duration : 8549
auth_type : Session
auth_method : Negotiate <<== Kerberos
pol_id : 0
g_id : 0
user_based : 0
expire : 518
LAN:
bytes_in=391126651 bytes_out=120040279
WAN:
bytes_in=239893910 bytes_out=782287352

ID: 46, VDOM: root, IPv4: 10.207.1.46
user name : testbezza
worker : 0
duration : 60
auth_type : Session
auth_method : Negotiate <<== Kerberos
pol_id : 0
g_id : 0
user_based : 0
expire : no
LAN:
bytes_in=145533 bytes_out=4652762
WAN:
bytes_in=9258772 bytes_out=292344

Forward traffic log:

exec log filter device 1   <----- Disk logging.
exec log filter category 0 <----- Forward traffic log.
exec log display

date=2022-07-08 time=13:48:11 eventtime=1657259291692334330 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=56025 srcintf="port4" srcintfrole="undefined" dstcountry="Malaysia" srccountry="Reserved" dstip=23.14.198.78 dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=1604885030 service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=40650 duration=5115 user="testbezza" group="Kerberos-Bezza-user-group" authserver="Kerberos-LDAP-Bezza" wanin=338 rcvdbyte=338 wanout=213 lanin=4869 sentbyte=4869 lanout=5763 appcat="unscanned"

date=2022-07-08 time=13:47:44 eventtime=1657259264303615072 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=55969 srcintf="port4" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=13.107.42.254 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1604885023 service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=60194 duration=14098 user="testkancil" group="Kerberos-Kancil-user-group" authserver="Kerberos-LDAP-Kancil" wanin=7499 rcvdbyte=7499 wanout=1199 lanin=4328 sentbyte=4328 lanout=12494 appcat="unscanned"

Other things to take note:

• Make sure 2-way domain forest trust is configured at the domain controller.
• Make sure all the domain controllers and host NTP are in-sync.
• Make sure the computer can resolve FortiProxy FQDN correctly.
• Make sure to seethe  Kerberos ticket on the computer (cmd -> klist).