Hello,
I have a question about kerberos authentication. Seeing this doc:
Why do I need the kerberos authentcation? I mean what would be the difference if I do not configure the kerberos part and I do configure the rest (LDAP,groups, and add group to proxy policy)?
If I do not configure the kerberos part I would still have the active authentication (autentication windows popup on browser) the a user tries to go to internet,right?
I do not the benefit added with kerberos. Is it to just add SSO like authentication (passive authentication) ??
I am new to kerberos protocol...
thank you in advance.
Regars!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@kamarale
The Poll works for the FSSO agent. If you have the FSSO agents installed then it pools the additional information from the server. If you cannot install the FSSO agent therefore we can continue adding the LDAP server from the FortiGate GUI under the User and authentication.
Kerberos configuration is required for Kerberos authentication, if you decide you want to use Kerberos authentication. :)
The webproxy-native authentication methods are as follows:
Kerberos: Needs the Kerberos config
NTLM: Needs different configuration for NTLM itself (or can proxied via Collector to the Domain, but this is not used much anymore)
Basic: Just the basic base64-encoded (and thus insecure!) username:password method - You need only access to the relevant user-database, be it local users, or LDAP users (with LDAP server configured)
Out of these three, Kerberos is the most secure, and the most modern.
(basic is "just plain bad" for a plaintext webproxy and NTLM is being phased out by Microsoft)
Hello,
Thanks for the reply.
But what would I gain if I use kerberos auth? I mean Is this optional right?
I have configured several Fortigates (without explicit proxy) with active auth, just adding LDAP server,LDAP groups and works ok....with nothing about kerberos.
My doubt is, why when I use explicit proxy I have to configure kerberos auth ? Or why is it recommended? What if I do not configure it and the authentication part (LDAP server,groups,etc) would be almost the same as if I do not use explicit proxy (I mean just plain active auth as in the case I mentioned earlier).
To sum up, why in explicit proxy I use kerberos and without explicit proxy I do not use it. And if I do not use it is less secure....
Thank you!
Regards
Benefits of Kerberos for explicit proxy:
- more secure (as I noted already)
- native integration with domain-joined Windows machines: If correctly configured (on both the FGT and Win clients), the resulting behaviour can be seamless authentication (not visible to users).
If you like that and it is worth the effort of setting it up, it may be a good option for you. But it absolutely isn't mandatory. Completely up to your design and goals.
It technically could be done for non-explicit-proxy firewall policies, but it's not implemented in FortiOS. And it wouldn't be fully seamless either (the flow would still need to involve a redirect to a captive portal).
A variant of this is debatably applicable to firewall policies when using them in tandem with "transparent explicit proxy" policies, but the name betrays that this involves the explicit proxy again. :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.