Hello, for a customer I have configured kerberos authentication over explicit proxy. When the customer is in the LAN kerberos authentication works fine, the user and the AD-group membership is recognized by the fortigate. When the user is working over microsoft direct access server, the user on the direct access server is recognized but not the AD group membership of the user. It is the same behaviour, when the user is connected over forticlient ipsec-vpn. The user and the client ip address is recognized but not the AD-group membership.
Does anybody has an idea? Is there some config missing? Thanks Judit
I have found the solution on google:
Turns out that this was a problem with Windows Kerberos using UDP. There was a registery hack we had to make on all systems that forced kerberos to use TCP. This corrected the issue. Please check MS tech note Q244474 entitled " How to force Kerberos to use TCP instead of UDP" . https://support.microsoft...tead-of-udp-in-windows
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.