Description

 

This article describes how to configure Kerberos Authentication with FortiProxy for Windows and Mac.

 

Scope

 

Microsoft Windows Server 2016 and FortiProxy v7.4.2, Windows, MacOS.

 

Solution

 

1. Create DNS A Record on Windows Server:

• Go to DNS Manager: select the Forward Lookup Zones.
• New Host (A or AAAA)…
• Name: Name of New Host. Example: 'fortiproxy'.
• FQDN: fortiproxy.<realm>. Example: fortiproxy.fortinettest.loc.
• IP address: IP address of the FortiProxy.

 

 

2. Create two user accounts in the Windows domain:

• User1: Normal User for testing or using the existing.
• FortiProxy: Service Account (no special attributes or permissions, same as normal user).

The 'fortiproxy' account stands for the FortiProxy, which provides the HTTP proxy service.

 

 

3. Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (fortiproxy.fortinettest.loc):

• On the Windows Server machine open the cmd and type: nslookup fortiproxy.fortinet.loc.

 

 

4. (Optional) Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local host file:

• Go to Windows Server.
• Go to windows/system32/drivers/etc/hosts.
• Add the following line: <IP Address of FortiProxy> <FQDN of FortiProxy indicated on the Step 1>.

 

 

5. Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption:

 

ktpass -princ HTTP/fortiproxy.fortinettest.loc>@FORTINETTEST.LOC -mapuser fortiproxy@fortinettest.loc -pass P@ssw0rd -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab

 

Breakdown:

• princ HTTP/ < FQDN of FortiProxy indicated on the Step 1>@ realm in CAPSLOCK example: FORTINETTEST.LOC.
• mapuser <FQDN of the service user created in Step 2>. Example fortiproxy@fortinettest.loc.
• password <password of the service user in plain text> (Important that the service user password is set to never expire, otherwise the keytab will be affected once the password expires since it is binded to the keytab to be uploaded on the FortiProxy)
• out <output file name>.keytab.

 

Sample Output:

 

 

Note: The default output file path location of the keytab file is located in 'C:\Users\Administrator\'.

 

6. Define the LDAP server: GUI: Go to User & Authentication -> LDAP Servers and select 'Create New'.

 

 

CLI:

 

config user ldap

    edit "ldap" <----- Use for authorization.

        set server "192.168.15.204" <----- LDAP server IP address; usually it is the same as the KDC server IP address.

        set cnid "sAMAccountName"

        set dn "dc=fortinettest,dc=loc"

        set type regular

        set username "fortiproxy" <----- Service User created on Step 2.

        set password “P@ssw0rd” <----- Service User password created on Step 2.

    next

 

•  Test Sample User1 for verification:

 

 

Note:

On CLI edit the LDAP config and put the following.

 

set group-search-base "dc=fortinettest,dc=loc” <----- Add this line in CLI as this is not available on GUI. If it is not done the keytab to the next step will not push through.

 

 

7. Define the Kerberos server:

• GUI: Go to User & Authentication -> Kerberos and select 'Create New'.

• 'HTTP/fortiproxy.fortinettest.loc@FORTINETTEST.loc' <----- It should be the same as the principal in the Keytab generation in step 5.

• Choose the LDAP server configured in Step 6.

• Upload the keytab file generated in step 5.

 

 

Note:

Save the Kerberos the Config without the Keytab.

 

Go to CLI:

 

config user krb-keytab

    edit "http_service"

        set principal "HTTP/fortiproxy.fortinettest.loc@FORTINETTEST.loc" <----- It should be the same as the principal name used to generate the Kerberos keytab file.

        set ldap-server "ldap" <----- The defined LDAP server for authorization on step 7.

        set keytab             <----- Paste the output in Step 6.

 

 

 

Example Output:

 

 

If verifying the configuration again it will show the following:

 

 

 

It is ok the system automatically encrypts the string Just leave it be.

 

8. Create the user group:

• GUI: Go to User & Authentication -> User Groups and select 'Create New'.
• Name: own preference.
• Members: chose the LDAP server in step 6.

 

 

On CLI:

 

config user group

    edit "testgrp"

        set group-type firewall

        set authtimeout 0

        set auth-concurrent-override disable

        set http-digest-realm ''

        set logic-type or

        set member "ldap"

            config match

                edit 1

                    set server-name "ldap"

                    set group-name "CN=Domain Users,CN=Users,DC=FORTINETTEST,DC=LOC"

                next

            end

    next

end

 

9. Define the domain controller:

• GUI Go to User & Authentication -> Domain Controller and select 'Create New'.

 

 

10. Create the authentication scheme for Kerberos with NTLM fallback.

• GUI: Go to Policy & Objects and select Create New -> Authentication Scheme.
• GUI: Go to Policy & Objects and select Create New -> Authentication Scheme.
• Name: Own Preference.
• Method: Negotiate <---- used for Kerberos Authentication.
• Negotiate NTLM: (Optional).

 

 

11. Create the authentication rule:

• GUI: Go to Policy & Objects and select 'Create New' -> Authentication Rule.
• Name: Own Preference.
• Protocol: HTTP.
• Source Interface: any or choose specific for more granularity.
• Source Address: any or choose specific for more granularity.
• Destination Address: any or choose specific for more granularity.
• Authentication Scheme: Choose the authentication scheme configured on Step 10.
• IP-Based Authentication: set to disable.

 

 

12. Create the firewall policy with authentication for testgrp.

• Type: Explicit
• Name: Own Preference
• Explicit Web-Proxy: web-proxy
• Outgoing Interface: Own Preference (usually going out to internet/firewall or switch)
• Source: All and User Group (configured in step 8 in our environment = testgroup)
• Destination: All or specific destination
• Schedule: Own Preference
• Service: webproxy
• Action: Accept
• Logging Options: Own Preference
• Enable Policy

 

 

 

Note:

For Security Profiles, Select the profiles that may apply. To test that the user can authenticate to Kerberos:

1. Use the default Kerberos Windows environment to set up a Windows client that supports Kerberos authentication.
2. After logging on to Windows with the user name 'user1', use 'klist' command to view the Kerberos service tickets. The Kerberos service tickets indicate that Kerberos is set up and working correctly.

 

 

3. Set up the explicit web proxy in the browser on the operating system by using FQDN=fortiproxy.fortinettest.loc port=8080. This also works for auto-proxy configuration.

• For Windows(Sample Only): 

 

• For MacOS (Sample Only):

   

   

   

Note:

On MAC the proxy configuration should be the domain name and not the IP address of the FortiProxy.

 

4. The klist command now shows the obtained Kerberos service ticket for HTTP/fortiproxy.fortinettest.loc@FORTINETTEST.LOC.

Windows:

 

 

MacOS:

 

 

• To test if the traffic to the internet is traversing the Fortiproxy, Use a web browser like chrome and open up developer tools then go to network then visit a website for example google.com. Then find the entry 'google.com on the left pane and verify if the "Remote IP Address' is pointing to the IP address and Port of FortiProxy.

For Windows:

 

 

For macOS:

 

 

On the FortiProxy, go to FortiView -> Users or enter the diag wad user list. 'negotiate' or 'NTLM' as the authentication method is visible.