Dear all
I have configured an explicit proxy on at fgt100F with 6.4.15.
The goal is to use kerberos as an authentication. Unfortunately this doesn't work yet.
To start with I disabled the autbentication need on the proxy policy and let the customer test.
We were able to verify that the explicit proxy works (if authentication is not needed).
Then I added the authentication again in the proxy policy and the customer confirms the browser receives a "connection refused" from the Fortigate.
Not an error message like "auth required" or like this - but directly a "connection refused" in the browser.
This would explain why I don't really see any logs of said tests (as the connections are refused).
The connection to the used LDAP server (tested within WebGUI of Fortigate) works and show OK (still wouldnt explain the error message in the browser, even if that would be an issue).
Following questions:
Thanks a lot
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi scheuri,
there is no command to test the keytab. We often follow a certain guide by the word, and usually Kerberos just works fine.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/926128/kerberos
You can use a few things to test what the FortiGate does in the end:
- Browser development tools (keyboard F12) should show when you access a page what HTTP responses are sent, one of them would be simply HTTP 407, authentication required).
- run a debug (it is extensive and should be logged, carefully used, enabled and disabled right after test):
diag debug console timestamp enable
diag wad debug enable category all
diag wad debug enable level verbose
diag debug app fnbamd -1
diag debug enable
It should show the same HTTP 407 for the IP, but also user, authentication rule and scheme matching, as well as the LDAP lookup that would happen against the user that tries to authenticate.
- on the end user station, you can run "klist" and see a few keytabs that indicate Kerberos is working.
Best regards,
Markus
Thank you very much for your suggestions - very much appreciated.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.