FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Adryan_you
Staff
Staff
Article Id 217063
Description This article describes how to configure FortiProxy for multidomain Kerberos authentication.
Scope FortiProxy.
Solution

- Refer to this KB article to setup Kerberos in FortiProxy:
https://community.fortinet.com/t5/FortiProxy/Technical-Tip-Configuring-FortiProxy-Kerberos-authentic...

 

- There are several additional steps/data to be included:


1) When encode the keytab, it is possible to use the Window Server to do the encoding:


certutil -encode <keytab> <encode-file-name>


For example:

 

C:\Users\Administrator>certutil -encode fpxkvm.keytab fpxkvm-base64

 

Open the encode output using txt editor to retrieve the content.

 

2) For multidomain, it is necessary to have 2 different LDAP servers.

When setup LDAP server object in FortiProxy, it is necessary to define 'group-search-base'(via CLI only).

 

# config user ldap
    edit "Kerberos-LDAP-Bezza"
        set server "x.x.x.x"
        set cnid "sAMAccountName"
        set dn "dc=bezza-kvm53,dc=local"
        set type regular
        set username "CN=administrator,CN=Users,DC=bezza-kvm53,DC=local"
        set password <password>
        set group-search-base "dc=bezza-kvm53,dc=local" <-----
    next
        edit "Kerberos-LDAP-Kancil"
            set server "y.y.y.y"
            set cnid "sAMAccountName"
            set dn "dc=kancil-kvm07,dc=local"
            set type regular
            set username "CN=Administrator,CN=Users,DC=kancil-kvm07,DC=local"
            set password <password>
            set group-search-base "dc=kancil-kvm07,dc=local" <-----
        next
    end

 

3) Create kerberos object in FortiProxy. Include both LDAP server into the kerberos setting.


# config user krb-keytab
    edit "1"
        set principal "<FPX_principal_name>"
        set ldap-server "Kerberos-LDAP-Bezza" "Kerberos-LDAP-Kancil" <----- LDAP server.
        set keytab <encoded-keytab>
    next
end

 

4) For user group, make sure the user group associate with the same LDAP server.


# config user group
    edit "Kerberos-Bezza-user-group"
        set member "Kerberos-LDAP-Bezza" <----- LDAP server.
# config match
    edit 1
        set server-name "Kerberos-LDAP-Bezza" <----- LDAP server.
        set group-name "CN=Domain Users,CN=Users,DC=bezza-kvm53,DC=local"
    next
end

 

5) The policy:


# config firewall policy
    edit 3
        set type explicit-web
        set name "Kerberos-Auth-Policy"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set groups "Kerberos-Bezza-user-group" "Kerberos-Kancil-user-group" <----- Both user group.
    next
end

 

6) Result:


# dia wad user list
ID: 43, VDOM: root, IPv4: 10.207.1.46
user name : testkancil
worker : 0
duration : 8549
auth_type : Session
auth_method : Negotiate <<== Kerberos
pol_id : 0
g_id : 0
user_based : 0
expire : 518
LAN:
bytes_in=391126651 bytes_out=120040279
WAN:
bytes_in=239893910 bytes_out=782287352

 

ID: 46, VDOM: root, IPv4: 10.207.1.46
user name : testbezza
worker : 0
duration : 60
auth_type : Session
auth_method : Negotiate <<== Kerberos
pol_id : 0
g_id : 0
user_based : 0
expire : no
LAN:
bytes_in=145533 bytes_out=4652762
WAN:
bytes_in=9258772 bytes_out=292344

 

Forward traffic log:


# exec log filter device 1   <----- Disk logging.
# exec log filter category 0 <----- Forward traffic log.
# exec log display

 

date=2022-07-08 time=13:48:11 eventtime=1657259291692334330 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=56025 srcintf="port4" srcintfrole="undefined" dstcountry="Malaysia" srccountry="Reserved" dstip=23.14.198.78 dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=1604885030 service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=40650 duration=5115 user="testbezza" group="Kerberos-Bezza-user-group" authserver="Kerberos-LDAP-Bezza" wanin=338 rcvdbyte=338 wanout=213 lanin=4869 sentbyte=4869 lanout=5763 appcat="unscanned"

 

date=2022-07-08 time=13:47:44 eventtime=1657259264303615072 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=55969 srcintf="port4" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=13.107.42.254 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1604885023 service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=60194 duration=14098 user="testkancil" group="Kerberos-Kancil-user-group" authserver="Kerberos-LDAP-Kancil" wanin=7499 rcvdbyte=7499 wanout=1199 lanin=4328 sentbyte=4328 lanout=12494 appcat="unscanned"

 

7) Other things to take note:


- Make sure 2-way domain forest trust is configured at the domain controller.
- Make sure all the domain controller and host NTP are in-sync.
- Make sure computer can resolve FortiProxy FQDN correctly.
- Make sure to see kerberos ticket in the computer (cmd -> klist).

 

Adryan_you_0-1657260372329.png

 

Contributors