Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

FortiOS explicit Proxy Kerberos Authentication High Availability/Failover Setup

Hi there,

 

after we resolved our problem with the general functionality with Kerberos Auth and explicit Proxy (Solved: Re: FortiOS 6.0 Explicit Proxy Kerberos problem - Fortinet Community), we thought about how to get an failover/ha setup while our domain controller all can be used as KDC

 

We followed these steps Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library with additonal steps in the mentioned thread before. Also have read this Technical Tip : Configuring FortiProxy Kerberos au... - Fortinet Community

But in any examples, handbooks we are aware....there is this part of the config

config user krb-keytab
    edit "http_service"
        set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server
        set ldap-server "dc01" <<< the defined ldap server for authorization
        set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup
    next
end

 

Have a look at the red highlight. We only can define one ldap server, no second one, no backup, nothing. So if this single server fails the whole thing is broken. 

So how to fix this single point? Any ideas? 

 

Thanks in advance

1 Solution
aahmadzada
Staff
Staff

Hi,

Under the LDAP Server, you can define Primary and secondary LDAP servers

So your LDAP server entry will have two LDAP servers:

 

Primary
Secondary

 

Ahmad

Ahmad

View solution in original post

3 REPLIES 3
aahmadzada
Staff
Staff

Hi,

Under the LDAP Server, you can define Primary and secondary LDAP servers

So your LDAP server entry will have two LDAP servers:

 

Primary
Secondary

 

Ahmad

Ahmad
pminarik
Staff
Staff

You can configure up to three server-addresses in the LDAP server object's configuration (CLI-only): set secondary-server + set tertiary-server.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Secondary-LDAP-server-IP-configuration/ta-...

[ corrections always welcome ]
Wurstsalat
New Contributor III

thanks @pminarik @aahmadzada 

 

A bit confusing that most examples (and handbook) talk about config user ldap and then "edit" servername instead of domain name/realm which makes much more sense when theres a second and third server which can be defined. Thanks again to pointing me again in the right direction