Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Adryan_you
Staff
Staff

Created on ‎07-07-2022 11:36 PM Edited on ‎07-07-2022 11:39 PM By Community Manager

Article Id 217063

Technical Tip: Configure FortiProxy for multidomain Kerberos authentication

Description This article describes how to configure FortiProxy for multidomain Kerberos authentication.
Scope FortiProxy.
Solution

- Refer to this KB article to setup Kerberos in FortiProxy:
https://community.fortinet.com/t5/FortiProxy/Technical-Tip-Configuring-FortiProxy-Kerberos-authentic...

 

- There are several additional steps/data to be included:


1) When encode the keytab, it is possible to use the Window Server to do the encoding:


certutil -encode <keytab> <encode-file-name>


For example:

 

C:\Users\Administrator>certutil -encode fpxkvm.keytab fpxkvm-base64

 

Open the encode output using txt editor to retrieve the content.

 

2) For multidomain, it is necessary to have 2 different LDAP servers.

When setup LDAP server object in FortiProxy, it is necessary to define 'group-search-base'(via CLI only).

 

# config user ldap
    edit "Kerberos-LDAP-Bezza"
        set server "x.x.x.x"
        set cnid "sAMAccountName"
        set dn "dc=bezza-kvm53,dc=local"
        set type regular
        set username "CN=administrator,CN=Users,DC=bezza-kvm53,DC=local"
        set password <password>
        set group-search-base "dc=bezza-kvm53,dc=local" <-----
    next
        edit "Kerberos-LDAP-Kancil"
            set server "y.y.y.y"
            set cnid "sAMAccountName"
            set dn "dc=kancil-kvm07,dc=local"
            set type regular
            set username "CN=Administrator,CN=Users,DC=kancil-kvm07,DC=local"
            set password <password>
            set group-search-base "dc=kancil-kvm07,dc=local" <-----
        next
    end

 

3) Create kerberos object in FortiProxy. Include both LDAP server into the kerberos setting.


# config user krb-keytab
    edit "1"
        set principal "<FPX_principal_name>"
        set ldap-server "Kerberos-LDAP-Bezza" "Kerberos-LDAP-Kancil" <----- LDAP server.
        set keytab <encoded-keytab>
    next
end

 

4) For user group, make sure the user group associate with the same LDAP server.


# config user group
    edit "Kerberos-Bezza-user-group"
        set member "Kerberos-LDAP-Bezza" <----- LDAP server.
# config match
    edit 1
        set server-name "Kerberos-LDAP-Bezza" <----- LDAP server.
        set group-name "CN=Domain Users,CN=Users,DC=bezza-kvm53,DC=local"
    next
end

 

5) The policy:


# config firewall policy
    edit 3
        set type explicit-web
        set name "Kerberos-Auth-Policy"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set groups "Kerberos-Bezza-user-group" "Kerberos-Kancil-user-group" <----- Both user group.
    next
end

 

6) Result:


# dia wad user list
ID: 43, VDOM: root, IPv4: 10.207.1.46
user name : testkancil
worker : 0
duration : 8549
auth_type : Session
auth_method : Negotiate <<== Kerberos
pol_id : 0
g_id : 0
user_based : 0
expire : 518
LAN:
bytes_in=391126651 bytes_out=120040279
WAN:
bytes_in=239893910 bytes_out=782287352

 

ID: 46, VDOM: root, IPv4: 10.207.1.46
user name : testbezza
worker : 0
duration : 60
auth_type : Session
auth_method : Negotiate <<== Kerberos
pol_id : 0
g_id : 0
user_based : 0
expire : no
LAN:
bytes_in=145533 bytes_out=4652762
WAN:
bytes_in=9258772 bytes_out=292344

 

Forward traffic log:


# exec log filter device 1   <----- Disk logging.
# exec log filter category 0 <----- Forward traffic log.
# exec log display

 

date=2022-07-08 time=13:48:11 eventtime=1657259291692334330 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=56025 srcintf="port4" srcintfrole="undefined" dstcountry="Malaysia" srccountry="Reserved" dstip=23.14.198.78 dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=1604885030 service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=40650 duration=5115 user="testbezza" group="Kerberos-Bezza-user-group" authserver="Kerberos-LDAP-Bezza" wanin=338 rcvdbyte=338 wanout=213 lanin=4869 sentbyte=4869 lanout=5763 appcat="unscanned"

 

date=2022-07-08 time=13:47:44 eventtime=1657259264303615072 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=55969 srcintf="port4" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=13.107.42.254 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1604885023 service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=60194 duration=14098 user="testkancil" group="Kerberos-Kancil-user-group" authserver="Kerberos-LDAP-Kancil" wanin=7499 rcvdbyte=7499 wanout=1199 lanin=4328 sentbyte=4328 lanout=12494 appcat="unscanned"

 

7) Other things to take note:


- Make sure 2-way domain forest trust is configured at the domain controller.
- Make sure all the domain controller and host NTP are in-sync.
- Make sure computer can resolve FortiProxy FQDN correctly.
- Make sure to see kerberos ticket in the computer (cmd -> klist).

 

Adryan_you_0-1657260372329.png

 

Labels:
1207
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.