we run through the handbook for FortiOS 6.0 to enable explicit proxy with kerberos authentication
Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library
We have done anything correctly, we think. Proxy address matches the address we used for spn/keytab.
kerb auth is correctly requested and send back
Response is with negotiate YII.... so its kerberos, fine
But we get this when we add, for example the domain users group to a rule
And in user events we can see this
Which is kind of not expected, but we cant figure out why this happens.
To our ldap/kdc/domain controller Server we have opened the ports 636 TCP and 88 TCP/UDP, we use LDAPS for LDAP connection which seems to work (able to browse ldap directory and connection test is successful)
SPN on Kerberos User is set to HTTP/<hostname we use for proxy access> through ktpass
We are able to browse ldap directory
For the LDAP configuration we use another user than the kerberos user
the realm is written in upper cases, so HTTP/<hostname we use for proxy access>@DOMAIN.LOCAL
Keytab was translated to base64 and the *.keytab files are created inside the forti, we can confirm through
fnsysctl ls -la /tmp/kt
Just one point, we see 2 keytab files created instead of 1.
We have defined auth rule and scheme
Still, it does not work and we have no idea why.
Additional question, is there a way to use multiple ldap/ad servers in "config user krb-keytab"? So we have no single point
We dont want to open port 450 and enable NTLM Authentication. Anyone an idea what we are doing wrong?