Hi there,
after we resolved our problem with the general functionality with Kerberos Auth and explicit Proxy (Solved: Re: FortiOS 6.0 Explicit Proxy Kerberos problem - Fortinet Community), we thought about how to get an failover/ha setup while our domain controller all can be used as KDC
We followed these steps Handbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library with additonal steps in the mentioned thread before. Also have read this Technical Tip : Configuring FortiProxy Kerberos au... - Fortinet Community
But in any examples, handbooks we are aware....there is this part of the config
config user krb-keytab
edit "http_service"
set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server
set ldap-server "dc01" <<< the defined ldap server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup
next
end
Have a look at the red highlight. We only can define one ldap server, no second one, no backup, nothing. So if this single server fails the whole thing is broken.
So how to fix this single point? Any ideas?
Thanks in advance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Under the LDAP Server, you can define Primary and secondary LDAP servers
So your LDAP server entry will have two LDAP servers:
Primary
Secondary
Ahmad
Hi,
Under the LDAP Server, you can define Primary and secondary LDAP servers
So your LDAP server entry will have two LDAP servers:
Primary
Secondary
Ahmad
You can configure up to three server-addresses in the LDAP server object's configuration (CLI-only): set secondary-server + set tertiary-server.
thanks @pminarik @aahmadzada
A bit confusing that most examples (and handbook) talk about config user ldap and then "edit" servername instead of domain name/realm which makes much more sense when theres a second and third server which can be defined. Thanks again to pointing me again in the right direction
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.