Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

Created on ‎04-20-2022 04:37 AM

FortiOS explicit Proxy Kerberos Authentication High Availability/Failover Setup

Hi there,

 

after we resolved our problem with the general functionality with Kerberos Auth and explicit Proxy (Solved: Re: FortiOS 6.0 Explicit Proxy Kerberos problem - Fortinet Community), we thought about how to get an failover/ha setup while our domain controller all can be used as KDC

 

We followed these steps Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library with additonal steps in the mentioned thread before. Also have read this Technical Tip : Configuring FortiProxy Kerberos au... - Fortinet Community

But in any examples, handbooks we are aware....there is this part of the config

config user krb-keytab
    edit "http_service"
        set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server
        set ldap-server "dc01" <<< the defined ldap server for authorization
        set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup
    next
end

 

Have a look at the red highlight. We only can define one ldap server, no second one, no backup, nothing. So if this single server fails the whole thing is broken. 

So how to fix this single point? Any ideas? 

 

Thanks in advance

Labels:
2232
0 Kudos
1 Solution
aahmadzada
Staff
Staff

Created on ‎04-20-2022 04:57 AM

Hi,

Under the LDAP Server, you can define Primary and secondary LDAP servers

So your LDAP server entry will have two LDAP servers:

 

Primary
Secondary

 

Ahmad

Ahmad

View solution in original post

2227
3 REPLIES 3
aahmadzada
Staff
Staff

Created on ‎04-20-2022 04:57 AM

Hi,

Under the LDAP Server, you can define Primary and secondary LDAP servers

So your LDAP server entry will have two LDAP servers:

 

Primary
Secondary

 

Ahmad

Ahmad
2228
pminarik
Staff
Staff

Created on ‎04-20-2022 04:59 AM

You can configure up to three server-addresses in the LDAP server object's configuration (CLI-only): set secondary-server + set tertiary-server.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Secondary-LDAP-server-IP-configuration/ta-...

[ corrections always welcome ]
2176
Wurstsalat
New Contributor III

Created on ‎04-20-2022 05:09 AM

thanks @pminarik @aahmadzada 

 

A bit confusing that most examples (and handbook) talk about config user ldap and then "edit" servername instead of domain name/realm which makes much more sense when theres a second and third server which can be defined. Thanks again to pointing me again in the right direction 

2172
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.