FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
KC_Hing
Staff
Staff
Article Id 223520
Description

This article describes a working WAD debug flow for Kerberos authentication as an authentication method.

Scope FortiProxy.
Solution

In this scenario, the FortiProxy has enforced to challenge the client browser with Kerberos as an authentication method.

 

Kerberos Authentication Flow:

 

KC_Hing_0-1662965830677.png

 

The following command can be used to capture and save the WAD debug outputs:

 

diagnose wad filter src <IP address>

diagnose wad debug enable category auth

diagnose wad debug enable category policy

diagnose wad debug enable level verbose

diagnose debug application fnbamd -1

diagnose debug enable

 

To stop debug:

 

diagnose debug disable

diagnose debug reset

 

Example of debugging outputs.

 

  1. The client browser sends an HTTP/1.1 connect method request toward the destination URL.

KC_Hing_1-1662966082876.png

 

  1. The connection request was interrupted by FortiProxy to challenge an HTTP/1.1 407 proxy authentication required with negotiate (Kerberos) authentication as a preferred method.

KC_Hing_2-1662966082890.png

 

  1. The client browser responds to a connect method request with a Kerberos service ticket (TGT) provided.

     

KC_Hing_3-1662966082899.png

 

  1. FortiProxy will decipher the client Kerberos service ticket (TGT) with configured keytab to extract the user name used for LDAP query.

KC_Hing_4-1662966082908.png

 

  1. FortiProxy to perform a proper lookup against the LDAP server for user and group membership matching.

KC_Hing_5-1662966082914.png

 

  1. Authentication result showed success, the Fortiproxy allowed destination website access with an HTTP/1.1 200 OK.


KC_Hing_6-1662966082916.png

 

Related documents:

Technical Tip: FortiGate explicit proxy authentication with Kerberos

Technical Tip: Configure FortiProxy for multidomain Kerberos authentication