Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Auth Issues with explicit proxy feature on Fortigate 100F (6.4.15)

Dear all


I have configured an explicit proxy on at fgt100F with 6.4.15.

The goal is to use kerberos as an authentication. Unfortunately this doesn't work yet.


To start with I disabled the autbentication need on the proxy policy and let the customer test.
We were able to verify that the explicit proxy works (if authentication is not needed).


Then I added the authentication again in the proxy policy and the customer confirms the browser receives a "connection refused" from the Fortigate.
Not an error message like "auth required" or like this - but directly a "connection refused" in the browser.

This would explain why I don't really see any logs of said tests (as the connections are refused).

The connection to the used LDAP server (tested within WebGUI of Fortigate) works and show OK (still wouldnt explain the error message in the browser, even if that would be an issue).


Following questions:

  • Are there CLI commands that allow me to test keytab or other authentication parts of the explicit proxy feature?
  • Am I wrong to assume that I should see another error message in the browser when the issue are wrong user credentials (like "auth required" rather than directly a "connection refused")?
  • Anyone an idea what I could look at to investigate a potential issue that causes a "connection refused" when adding authentication to explicit proxy policy?

Thanks a lot



Hi scheuri,


there is no command to test the keytab. We often follow a certain guide by the word, and usually Kerberos just works fine.

You can use a few things to test what the FortiGate does in the end:

- Browser development tools (keyboard F12) should show when you access a page what HTTP responses are sent, one of them would be simply HTTP 407, authentication required).

- run a debug (it is extensive and should be logged, carefully used, enabled and disabled right after test):

diag debug console timestamp enable

diag wad debug enable category all

diag wad debug enable level verbose

diag debug app fnbamd -1

diag debug enable

It should show the same HTTP 407 for the IP, but also user, authentication rule and scheme matching, as well as the LDAP lookup that would happen against the user that tries to authenticate.

- on the end user station, you can run "klist" and see a few keytabs that indicate Kerberos is working.

Best regards,





Thank you very much for your suggestions - very much appreciated.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors