Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
duenlim
Staff
Staff

Created on ‎08-17-2022 01:35 AM Edited on ‎01-01-2024 09:59 PM By Community Manager

Article Id 221050

Technical Tip: Issue on keytab when configuring Kerberos authentication with a FortiProxy

Description This article describes how to encode the keytab to base64 when configuring Kerberos authentication.
Scope

If unable to configure the keytab follow through the guidelines at:

https://docs.fortinet.com/document/fortiproxy/2.0.2/fortiproxy-authentication-guide/314108/configura...
Solution
  1. Use certutil (Windows Server 2016 native tool) to encode fortifpx.keytab file to Base64; the output is used for the FortiProxy keytab.

 

certutil -encode <keytab> <encode-file-name>

 

For example in Windows Server:


C:\Users\Administrator>certutil -encode fpxkvm.keytab fpxkvm-base64

 

Note.

Open the encoded output (fpxkvm-base64) with Notepad to retrieve the content.

The following will be visible.

 

-----BEGIN CERTIFICATE-----
BQIAAAA4AAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAA
AAMAAQAIdmSMihnZGT0AAAA4AAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1r
MS5jb20AAAABAAAAAAMAAwAIdmSMihnZGT0AAABAAAIAB01LMS5DT00ABEhUVFAA
EGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAFwAQFvRuHGNyZDrYZRwGKhKpuwAA
AFAAAgAHTUsxLkNPTQAESFRUUAAQZm9ydGlmcHgubWsxLmNvbQAAAAEAAAAAAwAS
ACDguExSNSVB9O1FD+S5OTGulRfPDBi0YelL/s152baiJAAAAEAAAgAHTUsxLkNP
TQAESFRUUAAQZm9ydGlmcHgubWsxLmNvbQAAAAEAAAAAAwARABAhcLODf38dBzNW
C3HL7WuV
-----END CERTIFICATE-----

 

Note.

The content of the encoded output will be configured as ketyab.

 

  1. Apply the keytab to FortiProxy:

 

config user krb-keytab

fortifpx (krb-keytab) # edit http_service
new entry 'http_service' added

fortifpx (http_service) # set principal HTTP/fortifpx.mk1.com@MK1.COM

fortifpx (http_service) # set ldap-server LDAP

fortifpx (http_service) # set keytab "BQIAAAA4AAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAAQAIdmSMihnZGT0AAAA4AAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAAwAIdmSMihnZGT0AAABAAAIAB01LMS5DT00ABEhUVFAAEGZvcnRpZnB4Lm1rMS5jb20AAAABAAAAAAMAFwAQFvRuHGNyZDrYZRwGKhKpuwAAAFAAAgAHTUsxLkNPTQAESFRUUAAQZm9ydGlmcHgubWsxLmNvbQAAAAEAAAAAAwASACDguExSNSVB9O1FD+S5OTGulRfPDBi0YelL/s152baiJAAAAEAAAgAHTUsxLkNPTQAESFRUUAAQZm9ydGlmcHgubWsxLmNvbQAAAAEAAAAAAwARABAhcLODf38dBzNWC3HL7WuV"

 

Note:

Make sure those encoded contents are 'word wrap'. Started from v7.2.x, do not need to convert the keytab file to base64 code. 
476
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.