Hi,

- be very careful about line breaks on Windows, Notepad++ is useful, or move the ketab generated via ktpass to some unix/linux machine and base64 encode it there

- wrap base64 encoded keytab string in quotation marks when putting it into FGT's CLI

If windows version of Base64 do not work for you well, then there are few alternatives (besides linux box) even on Windows.

Let's say I did generated keytab this way (one line command!): ktpass -princ HTTP/fgt.test.local@TEST.LOCAL -mapuser testfgt -pass testfgt -crypto all -ptype KRB5_NT_PRINCIPAL -out C:\_Kerberos\testfgt.keytab

Then here are few alternative ways which worked for me:

1. native Windows part ...   certutil -encode testfgt.keytab  testfgt.keytab.base64

2. OpenSSL ... # openssl base64 -in testfgt.keytab -out testfgt.keytab.base64

Results could be checked by:

ktpass /in testfgt.keytab

Then LDAP server pointing to DC where I generated keytab (for simplicity) is set in FGT.

# config needed for authorization, server IP should be same as KDC server

config user ldap

edit "W2012"

set server "10.10.10.10"

set cnid "cn"

set dn "dc=test,dc=local"

set type regular

set username "CN=administrator,CN=Users,DC=test,DC=local"

set password YourSuperSecretPassword

next

end

# principal is the same as used in General Config, with DNS name of FGT as fgt.test.local

config user krb-keytab

    edit "http_service"

        set principal "HTTP/fgt.test.local@TEST.LOCAL"

        set ldap-server "W2012"

        set keytab "BQIAAAA5AAIAClRFU1QuTE9DQUwABEhUVFAADmZndC50ZXN0LmxvY2FsAAAAAQAAAAAEAAEACINPyDLWnrz0AAAAOQACAApURVNULkxPQ0FMAARIVFRQAA5mZ3QudGVzdC5sb2NhbAAAAAEAAAAABAADAAiDT8gy1p689AAAAEEAAgAKVEVTVC5MT0NBTAAESFRUUAAOZmd0LnRlc3QubG9jYWwAAAABAAAAAAQAFwAQvDI09BpOueOpLqgKZYV7cwAAAFEAAgAKVEVTVC5MT0NBTAAESFRUUAAOZmd0LnRlc3QubG9jYWwAAAABAAAAAAQAEgAg3Lrdi7/EeMQPyLxeNJI6k7V1R+HPPdRk9ayWxNKITcYAAABBAAIAClRFU1QuTE9DQUwABEhUVFAADmZndC50ZXN0LmxvY2FsAAAAAQAAAAAEABEAEDurSCpkwsFpVoOI+hfMzRk="

    next

end

# user group used for authentication, uses same LDAP and match 2 AD groups - 'Domain Users' and 'testgroup'

config user group

    edit "testgroup"

        set member "W2012"

        config match

            edit 1

                set server-name "W2012"

                set group-name "CN=Domain Users,CN=Users,DC=test,DC=local"

            next

            edit 2

                set server-name "W2012"

                set group-name "CN=testgroup,CN=Users,DC=test,DC=local"

            next

        end

    next

end

Above groups are then used in policies.

Client Workstation

Once the user logs to workstation which Is domain member he should have some Kerberos tokens listed in klist command output.

If explicit proxy is used/set on FGT, then set proxy in browser.

Open some page, get HTTP 407 Proxy Authentication Required, with Negotiate as method.

Workstation should know KRBTGT and request ticket from KDC with krb-tgs-req. Includes realm TEST.LOCAL in req-body, and instatnces SNAME and service as HTTP/fgt.test.local

KDC should respond with KRB-TGS-REP and since then ticket should be present on client

Klist example

#2>  Client: test @ test.local

Server: HTTP/fgt.test.local @ TEST.LOCAL

KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

Ticket Flags 0x40a00000 -> forwardable renewable pre_authent

Start Time: 12/6/2016 14:59:45 (local)

End Time: 12/7/2016 0:58:04 (local)

Renew Time: 12/13/2016 14:58:04 (local)

Session Key Type: RSADSI RC4-HMAC(NT)

Quite nice guide is on Docs site, including example how to generate and put to CLI, even with parts on how to generate it on Windows server - https://docs.fortinet.com/document/fortigate/6.0.0/handbook/926128/kerberos 

(something like second result I got on Docs.fortinet.com site for keywords "explicit proxy kerberos")

AFAIR that help/cookbook or very similar one did work for me in the past (above outputs are from my working setup test notes).