after we resolved our problem with the general functionality with Kerberos Auth and explicit Proxy (Solved: Re: FortiOS 6.0 Explicit Proxy Kerberos problem - Fortinet Community), we thought about how to get an failover/ha setup while our domain controller all can be used as KDC
We followed these steps Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library with additonal steps in the mentioned thread before. Also have read this Technical Tip : Configuring FortiProxy Kerberos au... - Fortinet Community
But in any examples, handbooks we are aware....there is this part of the config
config user krb-keytab
set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server
set ldap-server "dc01" <<< the defined ldap server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup
Have a look at the red highlight. We only can define one ldap server, no second one, no backup, nothing. So if this single server fails the whole thing is broken.
So how to fix this single point? Any ideas?
Thanks in advance