Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
ELCaminooo
Staff
Staff

Created on ‎01-23-2025 04:06 AM Edited on ‎01-23-2025 05:08 AM By Community Manager

Article Id 372065

Technical Tip: Dual Domain Controller for Kerberos Authentication on FortiProxy

Description This article describes how to configure dual Domain Controller in High Availability for Kerberos Authentication on FortiProxy.
Scope Microsoft Windows Server 2016 and FortiProxy.
Solution
  1. For a Secondary Domain Controller joined in the domain, the SRV should be replicated on the Secondary Domain Controller or more.

    1. Go to Server Manager -> DNS -> HostName.rootdomain -> Forward Lookup Zones -> Root Domain -> TCP -> Look for the file with _kerberos with data [0][100][88].

Picture21.png

  1. Double-check on the endpoint that it can see the SRV for the Kerberos on the domain controllers by using the following command:

 

nslookup -type=SRV _kerberos._tcp.domain.com

 

It should reflect the IP address of the Domain Controllers.

 

Picture6.png

  1. On the secondary Domain Controller, make sure to generate another keytab.
ktpass -princ HTTP/fpx2.fortinettest.loc>@FORTINETTEST.LOC -mapuser fortiproxy4 -pass P@ssw0rd -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx5.keytab.

 

Picture7.png

Picture8.png

 

  1. In FortiProxy, create another LDAP Server for the secondary Domain Controller.
Picture9.png

  

Picture10.png

 

Picture11.png

  1. On the Kerberos Tab, replicate the configuration on the first Kerberos configuration for the primary Domain Controller to the secondary Domain Controller to point to the LDAP Server config for the secondary Domain Controller, and upload the keytab generated from step 3.

 

Picture12.png

Picture13.png

 

  1. Edit the User Group to include the OUs or Groups from the secondary Domain Controller. The object group on the security policies will be auto-updated.

 

Picture14.png

 

  1. (Optional) Create Domain Controllers for NTLM fallback.

 

Picture15.png

 

  1. On the Policy & Objects -> Authentication Rules -> Authentication Schemes, create an entry for the secondary Domain Controller with the Negotiate Method. (Optional) Again, enable Negotiate NTLM for NTLM fallback and reference the Domain Controller config on Step 8.

 

Picture16.png

Picture17.png

  1. On the Policy & Objects -> Authentication Rules -> Authentication Rules, create an Authentication Rule for the Secondary Domain Controller.

 

Picture18.png

Picture19.png

     

 

  1. Test Failover and Verify Configuration.

 

  1. Shut down a primary domain controller: Temporarily disable/shut down the Primary Domain Controller to simulate a failure.

  2. Test Authentication:

    1. Verify that:

      • Windows and macOS endpoints can still authenticate and access the internet through FortiProxy.

      • FortiProxy recognizes Kerberos tickets issued by the Secondary Domain Controller.

Picture20.png

Picture21.png

 

Note:

Upon testing, the Kerberos ticket is not automatically changed to the Secondary Domain Controller in the scenario that the Primary Domain Controller goes down while the ticket is still active. Once the ticket is expire and the Primary Domain Controller is still down, it will request another ticket from the Secondary Domain Controller.
166
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.