Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ac1
Contributor II

Created on ‎02-25-2022 08:52 AM

Explicit proxy with Kerberos authentication

I followed the guide below to configure explicit proxy and enable Kerberos with NTLM in fallback:

Administration Guide | FortiGate / FortiOS 6.4.8 | Fortinet Documentation Library

 

Everything works correctly.

 

The problem is that all users authenticate through NTLM and not Kerberos:

# diagnose wad user list
ID: 2, IP: 10.1.100.202, VDOM: vdom1
  user name   : TEST31@DOMAIN
  duration    : 7
  auth_type   : Session
  auth_method : NTLM
  pol_id      : 1
  g_id        : 5
  user_based  : 0
  expire      : no
  LAN:
    bytes_in=6156 bytes_out=16149
  WAN:
    bytes_in=7618 bytes_out=1917

 I have a doubt: is it all here or is some configuration missing?

 

I found this article on TechNet:

Active Directory: Using Kerberos Keytabs to integrate non-Windows systems - TechNet Articles - Unite...

 

In particular it seems to be necessary to enable Kerberos for the service user used for the keytab:

 

<After the keytab generation, the User logon name changes into an SPN, so it can be found by Kerberos clients looking it up.  Note that the checkbox "This account supports Kerberos AES 256 bit encryption" under Account Options is selected.  The checkbox must be manually selected after the keytab generation otherwise you'll receive an error along the lines of 'Cannot find key of appropriate type to decrypt AP REP...".>

 

In our case, the Fortinet guide generates the keytab with the "-crypto all" option, so I have enabled all 3 fields DES, AES 128,AES 256.

But I keep seeing authentications only in NTLM...

 

Anyone have ideas?

 

Labels:
10052
0 Kudos
1 Solution
ac1
Contributor II
In response to Debbie_FTNT

Created on ‎03-04-2022 06:47 AM

I confirm that the DNS record created with the domain account name used to create the keytab must be used in the PAC file.

View solution in original post

9869
11 REPLIES 11
Tristan_C
New Contributor

Created on ‎02-25-2022 04:09 PM Edited on ‎02-25-2022 04:11 PM

I'd recommend getting a packet capture on the client and enable Kerberos error logging. Double check the relevant browser auth settings (firefox splits ntlm and spnego/kerberos settings) and/or GPO. Also ensure your client has visibility to the KDC, and the SPN was registered correctly in AD when doing the ktpass step (from a windows joined machine: "setspn -l FGT" should return your personalized version of the example from the guide: "HTTP/FGT.FORTINETQA.LOCAL").

7475
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎02-28-2022 01:45 AM

Hey ac1,

perhaps a stupid question, but what is the explicit proxy setting on your test client?

Does it have an IP or a hostname set?

For Kerberos authentication to work, the host needs to access proxy by hostname.

I once had the issue in a lab, all config was in place correctly but only NTLM auth was happening, and it turned out to be the case because of that simple oversight :D

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
7463
0 Kudos
ac1
Contributor II
In response to Debbie_FTNT

Created on ‎02-28-2022 08:58 AM

An fqdn is set which is resolved correctly and from where the client I checked is able to obtain the PAC file.

 

Did you have to enable Kerberos support in the service domain account used on FortiGate, in your configurations?

 

Thanks

7457
0 Kudos
Debbie_FTNT
Staff
Staff
In response to ac1

Created on ‎03-01-2022 12:15 AM Edited on ‎03-01-2022 12:16 AM

Hey ac1 - when I had my lab set up, I didn't have to enable anything specifically on the service account FortiGate was using as I recall.

You could consider taking a packet capture to see the proxy authentication process.

-  you should see an HTTP 407 from FortiGate indicating that proxy authentication is required

- this should include an offer of what authentication methods are available

-> It should be visible here if FortiGate is only offering NTLM, or also offering Kerberos

-> that should give us some clue if Kerberos is even an option for the client PC, and if yes, which one it goes with.

 

EDIT:
We are, however, drifting into very technical troubleshooting - might be worth opening a ticket with Technical Support for more in-depth support.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
7443
0 Kudos
ac1
Contributor II

Created on ‎03-01-2022 07:19 AM

I caught the traffic from the client. I filtered the traffic from "http.response.code == 407" and I saw:

img1-1.png

 

img1.png

 

what does it mean?

 

7435
0 Kudos
Debbie_FTNT
Staff
Staff
In response to ac1

Created on ‎03-01-2022 07:43 AM Edited on ‎03-01-2022 07:43 AM

Hey ac1,

the ''Negotiate TlRMTVNTxxxxxxxx" bit is the one that indicates Keberos is being offered, if I remember correctly.

A pure NTLM offer looks like this:

Debbie_FTNT_0-1646149386621.png

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
7433
ac1
Contributor II
In response to Debbie_FTNT

Created on ‎03-01-2022 07:47 AM

Ok, so it is the client not accepting Kerberos Negotiation.

7432
0 Kudos
Debbie_FTNT
Staff
Staff
In response to ac1

Created on ‎03-01-2022 07:49 AM

That's what it looks like to me at least.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
7430
0 Kudos
ac1
Contributor II
In response to Debbie_FTNT

Created on ‎03-03-2022 02:04 AM

The problem may be in the PAC file. The set FQDN does not have the same name as the service user for which the A record was created on the domain.

In this line:

return "PROXY proxy.domain.net:8080";

 

In my keytab:

config user krb-keytab
edit "http-proxy"
set pac-data disable
set principal "HTTP/fortinet.domain.net@DOMAIN.NET"
set ldap-server "domain.net"
set keytab "ENC xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
next
end

 

I have to test the FQDN change on the PAC file:

proxy.domain.net -> fortinet.domain.net

7393
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.