Description
This article describes how to configure Kerberos authentication for explicit Proxy on FortiProxy.
Scope
Any supported version of FortiProxy.
Solution
Windows Server general setup
Kerberos environment - Windows Server setup:
- For the test, set up a Windows Server 2016 with domain configuration and active directory.
- Set the domain name MT-TEST.LOCAL (realm name).
Create AD users
- testuser is a normal user (can be any existing domain user account).
- fortikerberos is the example user that will be used for creating the Kerberos ticket.
Recommendation: create the username in all lowercase (even if this goes against corporate standards).
- The account only requires 'domain users' membership.
- Set the password to never expire.
- Set a very strong password.
Create a DNS record for FortiProxy
Create a DNS A record mapping the FortiProxy IP address to the FQDN. For example:
FORTIPROXY.MT-TEST.LOCAL -> 10.0.0.240.
Generate the Kerberos keytab:
On a Windows Server, use the ktpass command through CMD to generate the Kerberos keytab.
Note that it is necessary to run CMD with the 'Run as Admin' option.
An explanation ktpass syntax can be seen in the following Microsoft article:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass
Syntax example:
# ktpass -princ HTTP/<FQDN of FortiProxy>@REALM -mapuser fortiproxy@domain.com -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Test example:
# ktpass -princ HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL -mapuser fortiproxy@mt-test.local -pass 12345678 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Note that the principal parameter is case-sensitive.
The output after creating a successful keytab looks similar to the following:
Encode the output in base64
[It is possible to upload the keytab file directly if configuring using the GUI, without encoding in base64]
Use the base64 command available in most Linux distros (or use any other available Base64 encoder) to encode the fpx.keytab file.
Use the base64 command available in most Linux distros (or use any other available Base64 encoder) to encode the fpx.keytab file.
Any LF (Line Feed) need to be deleted from the file.
Example of encoding in a Linux distribution:
base64 fpx.keytab > fpx.txt
base64 fpx.keytab > fpx.txt
In Windows Server 2016, use the native tool to encode fpx.keytab file to Base64. The output will be used for the FortiProxy keytab.
# certutil -encode <keytab> <encode-file-name>
FortiProxy configuration
All of the settings can be done in CLI or in GUI.
Create LDAP Server instance.
From GUI go to User & Device -> LDAP Servers and create a new LDAP server object.
From GUI go to User & Device -> LDAP Servers and create a new LDAP server object.
# config user ldap
edit "dc01" <- Required for authorization
set server "10.0.0.10" <- LDAP server IP, normally the same as the KDC server
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "fortibind@mt-test.local”
set password <password>
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "fortibind@mt-test.local”
set password <password>
set group-search-base "dc=mt-test,dc=local" <- When configuring using the web GUI, add this line from the CLI
next
end
Define Kerberos as an authentication service.
Go to User & Device -> Kerberos and create a new Kerberos object:
Go to User & Device -> Kerberos and create a new Kerberos object:
# config user krb-keytab
edit "http_service"
set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <- Same as the principal name in the ktpass command on Windows Server
set ldap-server "dc01" <- the defined ldap server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <- base64 encoded keytab data, created in step 5 of general setup
set ldap-server "dc01" <- the defined ldap server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <- base64 encoded keytab data, created in step 5 of general setup
next
end
Go to User & Device -> Scheme and create an authentication scheme with method negotiate:
# config authentication scheme
edit "krb"
set method negotiate
set negotiate-ntlm disable
set kerberos-keytab "krb_mttest"
next
end
edit "krb"
set method negotiate
set negotiate-ntlm disable
set kerberos-keytab "krb_mttest"
next
end
Go to User & Device -> Authentication Rule and create an authentication rule with the 'krb' scheme set as the default authentication method:
# config authentication rule
edit "kerberos"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ip-based disable
set active-auth-method "krb"
next
end
edit "kerberos"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ip-based disable
set active-auth-method "krb"
next
end
Create user group(s).
Go to User & Device -> User Groups and create a new group:
Go to User & Device -> User Groups and create a new group:
# config user group <- The group is used for kerberos authentication.
edit "testgrp"
set member "dc01"
# config match
edit 1
set server-name "dc01" <- Same as ldap-server option in krb-keytab.
set group-name "CN=Domain Users,CN=Users, DC=mt-test,DC=local"
next
end
next
end
edit "testgrp"
set member "dc01"
# config match
edit 1
set server-name "dc01" <- Same as ldap-server option in krb-keytab.
set group-name "CN=Domain Users,CN=Users, DC=mt-test,DC=local"
next
end
next
end
Create a firewall policy
Go to Policy & Objects -> Policy and create a new 'Explicit Proxy policy':
# config firewall policy
edit 0
set type explicit-web
set name "test"
set explicit-web-proxy "web-proxy"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set groups "testgrp"
set utm-status enable
next
end
edit 0
set type explicit-web
set name "test"
set explicit-web-proxy "web-proxy"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set groups "testgrp"
set utm-status enable
next
end
Diagnostics
Once the keytab is imported, check that it has been properly decoded.
It is visible with the following command:
# fnsysctl ls -la /tmp/kt
drwxr--r-- 2 0 0 Fri May 29 10:19:05 2020 60 .
drwxrwxrwt 31 0 0 Fri May 29 10:28:49 2020 2260 ..
-rw-r--r-- 1 0 0 Fri May 29 10:19:05 2020 387 KEY-FILE
drwxr--r-- 2 0 0 Fri May 29 10:19:05 2020 60 .
drwxrwxrwt 31 0 0 Fri May 29 10:28:49 2020 2260 ..
-rw-r--r-- 1 0 0 Fri May 29 10:19:05 2020 387 KEY-FILE
Client side walkthrough
Check Kerberos is working
Check Kerberos is working
Log on to the domain by using testuser.
Use the klist command to list ticket information.
In the below example, the client has received krbtgt, CIFS, and LDAP tickets.
As there has been no interaction with the FortiProxy yet, there will be no references to it.
# klist
Cached Tickets: (5)
#0> Client: testuser @ mt-test.local
Server: krbtgt/MT-TEST.LOCAL @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: testuser @ mt-test.local
Server: krbtgt/MT-TEST.LOCAL @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 12/6/2020 14:58:04 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#2> Client: testuser @ mt-test.local
Server: cifs/EthicsGradient.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#3> Client: testuser @ mt-test.local
Server: ldap/EthicsGradient.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#4> Client: testuser @ mt-test.local
Server: LDAP/EthicsGradient.mt-test.local/mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cached Tickets: (5)
#0> Client: testuser @ mt-test.local
Server: krbtgt/MT-TEST.LOCAL @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: testuser @ mt-test.local
Server: krbtgt/MT-TEST.LOCAL @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 12/6/2020 14:58:04 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#2> Client: testuser @ mt-test.local
Server: cifs/EthicsGradient.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#3> Client: testuser @ mt-test.local
Server: ldap/EthicsGradient.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#4> Client: testuser @ mt-test.local
Server: LDAP/EthicsGradient.mt-test.local/mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Configure client
Under Internet Properties, set the workstation to use FortiProxy as an internet proxy.
Specify the FQDN of the FortiProxy to ensure a Kerberos ticket is requested.
Push this information through a PAC file:
Open a connection to the Internet.
1) The client accesses the explicit proxy, but a HTTP 407 proxy authentication Required error will be returned.
2) As 'Negotiate' is set, the client has knowledge of the KRBTGT, it requests a ticket from the KDC with a krb-tgs-req message.
1) The client accesses the explicit proxy, but a HTTP 407 proxy authentication Required error will be returned.
2) As 'Negotiate' is set, the client has knowledge of the KRBTGT, it requests a ticket from the KDC with a krb-tgs-req message.
This includes the REALM (MT-TEST.LOCAL) in the reg-body section, and the provided instances SNAME and service (in this case, HTTP/dc01.mt-test.local).
3) The KDC responds with a next KRB-TGS-REP.
This ticket is then available on the client.
In the example below, the ticket-granted-service has issued Ticket #2:
3) The KDC responds with a next KRB-TGS-REP.
This ticket is then available on the client.
In the example below, the ticket-granted-service has issued Ticket #2:
#2> Client: testuser @ mt-test.local
Server: HTTP/dc01.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 12/6/2020 14:59:45 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Server: HTTP/dc01.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 12/6/2020 14:59:45 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
4) The conversation between the client and the proxy continues as the client responds with the Kerberos ticket in the response.
The whole process takes less than a second to complete.
The whole process takes less than a second to complete.
The user is visible as a FSSO logon from GUI.
Note:
One possible reason the client does not show the ticket for the HTTP protocol under klist is if there is an encryption mismatch between the client and the service. Both need to use the same Kerberos encryption type.
Related articles:
Technical Tip: FortiGate explicit proxy authentication with Kerberos
Troubleshooting Tip: Kerberos proxy-authentication and group lookup
Technical Tip: Kerberos authentication through FortiGate 'Redirected Transparent Web Proxy
