Description
This article describes how to configure Kerberos authentication for explicit Proxy on FortiProxy.
Solution
Windows Server general setup.
Kerberos environment - Windows Server setup.
1) For the test setup a Windows Server 2016 setup with domain configuration and active directory was used
2) Set the domain name MT-TEST.LOCAL (realm name).
Create AD users.
- testuser is a normal user (can be any existing domain user account).
- fortikerberos is the example user that will be used for creating the Kerberos ticket.
Recommendation: create username all in lowercase (even if against corporate standards).
- The account only requires 'domain users' membership.
- Password set to never expire.
- Set a very strong password.
Create a DNS record for FortiProxy.
Create a DNS A record mapping your FortiProxy IP address to the FQDN, for example:
FORTIPROXY.MT-TEST.LOCAL -> 10.0.0.240.
Generate the Kerberos keytab.
On Windows Server use the ktpass command through CMD to generate the Kerberos keytab.
Note that it is necessary to run CMD with 'Run as Admin' option.
An explanation of the ktpass syntax can be seen on the following Microsoft link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass
Syntax example:
ktpass -princ HTTP/<FQDN of FortiProxy>@REALM -mapuser fortiproxy@domain.com -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Test example:
ktpass -princ HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL -mapuser fortiproxy@mt-test.local -pass 12345678 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Note that the principal parameter is case-sensitive.
The output after creating a successful keytab looks similar to the following:
# config user ldapDefine Kerberos as an authentication service.
edit "dc01" <----- Required for authorization
set server "10.0.0.10" <----- LDAP server IP, normally it is the same as KDC server
set cnid "sAMAccountName"
set dn "dc=mt-test,dc=local"
set type regular
set username "fortibind@mt-test.local”
set password <password>
next
end
# config user krb-keytabGo to User & Device -> Scheme and create an authentication scheme with method negotiate:
edit "http_service"
set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server
set ldap-server "dc01" <<< the defined ldap server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup
next
end
# config authentication schemeGo to User & Device -> Authentication Rule and create an authentication rule with the 'krb' scheme set as the default authentication method:
edit "krb"
set method negotiate
set negotiate-ntlm disable
set kerberos-keytab "krb_mttest"
next
end
# config authentication ruleCreate user group(s).
edit "kerberos"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ip-based disable
set active-auth-method "krb"
next
end
# config user group <----- The group is used for kerberos authentication.Create firewall policy.
edit "testgrp"
set member "dc01"
# config match
edit 1
set server-name "dc01" <----- Same as ldap-server option in krb-keytab.
set group-name "CN=Domain Users,CN=Users, DC=mt-test,DC=local"
next
end
next
end
# config firewall policyDiagnostics.
edit 0
set type explicit-web
set name "test"
set explicit-web-proxy "web-proxy"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set groups "testgrp"
set utm-status enable
next
end
FPX # fnsysctl ls -la /tmp/ktClient side walkthrough.
drwxr--r-- 2 0 0 Fri May 29 10:19:05 2020 60 .
drwxrwxrwt 31 0 0 Fri May 29 10:28:49 2020 2260 ..
-rw-r--r-- 1 0 0 Fri May 29 10:19:05 2020 387 KEY-FILE
C:\Users\testuser>klistConfigure client.
Cached Tickets: (5)
#0> Client: testuser @ mt-test.local
Server: krbtgt/MT-TEST.LOCAL @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: testuser @ mt-test.local
Server: krbtgt/MT-TEST.LOCAL @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 12/6/2020 14:58:04 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#2> Client: testuser @ mt-test.local
Server: cifs/EthicsGradient.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#3> Client: testuser @ mt-test.local
Server: ldap/EthicsGradient.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#4> Client: testuser @ mt-test.local
Server: LDAP/EthicsGradient.mt-test.local/mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_delegate
Start Time: 12/6/2020 14:58:06 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#2> Client: testuser @ mt-test.local4) The conversation between the client and the proxy continues, as the client responds with the Kerberos ticket in the response.
Server: HTTP/dc01.mt-test.local @ MT-TEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 12/6/2020 14:59:45 (local)
End Time: 12/7/2020 0:58:04 (local)
Renew Time: 12/13/2020 14:58:04 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Note:
One of the reason the client does not show the ticket for the HTTP protocol under klist could be the encryption mismatch between client and the service where it needs to using the same Kerberos encryption type .
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.