- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Explicit proxy with Kerberos authentication
I followed the guide below to configure explicit proxy and enable Kerberos with NTLM in fallback:
Administration Guide | FortiGate / FortiOS 6.4.8 | Fortinet Documentation Library
Everything works correctly.
The problem is that all users authenticate through NTLM and not Kerberos:
# diagnose wad user list ID: 2, IP: 10.1.100.202, VDOM: vdom1 user name : TEST31@DOMAIN duration : 7 auth_type : Session auth_method : NTLM pol_id : 1 g_id : 5 user_based : 0 expire : no LAN: bytes_in=6156 bytes_out=16149 WAN: bytes_in=7618 bytes_out=1917
I have a doubt: is it all here or is some configuration missing?
I found this article on TechNet:
In particular it seems to be necessary to enable Kerberos for the service user used for the keytab:
<After the keytab generation, the User logon name changes into an SPN, so it can be found by Kerberos clients looking it up. Note that the checkbox "This account supports Kerberos AES 256 bit encryption" under Account Options is selected. The checkbox must be manually selected after the keytab generation otherwise you'll receive an error along the lines of 'Cannot find key of appropriate type to decrypt AP REP...".>
In our case, the Fortinet guide generates the keytab with the "-crypto all" option, so I have enabled all 3 fields DES, AES 128,AES 256.
But I keep seeing authentications only in NTLM...
Anyone have ideas?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I confirm that the DNS record created with the domain account name used to create the keytab must be used in the PAC file.
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That could very well be it, good find!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I confirm that the DNS record created with the domain account name used to create the keytab must be used in the PAC file.
- « Previous
-
- 1
- 2
- Next »