Created on 07-07-2022 11:36 PM Edited on 07-07-2022 11:39 PM By Anthony_E
Description | This article describes how to configure FortiProxy for multidomain Kerberos authentication. |
Scope | FortiProxy. |
Solution |
- Refer to this KB article to setup Kerberos in FortiProxy:
- There are several additional steps/data to be included:
C:\Users\Administrator>certutil -encode fpxkvm.keytab fpxkvm-base64
Open the encode output using txt editor to retrieve the content.
2) For multidomain, it is necessary to have 2 different LDAP servers. When setup LDAP server object in FortiProxy, it is necessary to define 'group-search-base'(via CLI only).
# config user ldap
3) Create kerberos object in FortiProxy. Include both LDAP server into the kerberos setting.
4) For user group, make sure the user group associate with the same LDAP server.
5) The policy:
6) Result:
ID: 46, VDOM: root, IPv4: 10.207.1.46
Forward traffic log:
date=2022-07-08 time=13:48:11 eventtime=1657259291692334330 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=56025 srcintf="port4" srcintfrole="undefined" dstcountry="Malaysia" srccountry="Reserved" dstip=23.14.198.78 dstport=80 dstintf="port1" dstintfrole="undefined" sessionid=1604885030 service="HTTP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=40650 duration=5115 user="testbezza" group="Kerberos-Bezza-user-group" authserver="Kerberos-LDAP-Bezza" wanin=338 rcvdbyte=338 wanout=213 lanin=4869 sentbyte=4869 lanout=5763 appcat="unscanned"
date=2022-07-08 time=13:47:44 eventtime=1657259264303615072 tz="+0800" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.207.1.46 srcport=55969 srcintf="port4" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=13.107.42.254 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1604885023 service="HTTPS" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="6492abee-fdd7-51ec-6427-0c5f05701d8f" policyname="Kerb" trandisp="snat" transip=10.47.2.28 transport=60194 duration=14098 user="testkancil" group="Kerberos-Kancil-user-group" authserver="Kerberos-LDAP-Kancil" wanin=7499 rcvdbyte=7499 wanout=1199 lanin=4328 sentbyte=4328 lanout=12494 appcat="unscanned"
7) Other things to take note:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.