Hi Forti People,
I am currently struggling to implement Kerberos on my Fortigate, especially loading the keytab in the box which seems to be every time invalid. What are the special things to not miss during this implementation ?
base64 encoded with any Line Feed @REALM in capital ... no more idea...
Many thanks for your help !
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
- be very careful about line breaks on Windows, Notepad++ is useful, or move the ketab generated via ktpass to some unix/linux machine and base64 encode it there
- wrap base64 encoded keytab string in quotation marks when putting it into FGT's CLI
If windows version of Base64 do not work for you well, then there are few alternatives (besides linux box) even on Windows.
Let's say I did generated keytab this way (one line command!): ktpass -princ HTTP/fgt.test.local@TEST.LOCAL -mapuser testfgt -pass testfgt -crypto all -ptype KRB5_NT_PRINCIPAL -out C:\_Kerberos\testfgt.keytab
Then here are few alternative ways which worked for me:
1. native Windows part ... certutil -encode testfgt.keytab testfgt.keytab.base64
2. OpenSSL ... # openssl base64 -in testfgt.keytab -out testfgt.keytab.base64
Results could be checked by:
ktpass /in testfgt.keytab
Then LDAP server pointing to DC where I generated keytab (for simplicity) is set in FGT.
# config needed for authorization, server IP should be same as KDC server
config user ldap
edit "W2012"
set server "10.10.10.10"
set cnid "cn"
set dn "dc=test,dc=local"
set type regular
set username "CN=administrator,CN=Users,DC=test,DC=local"
set password YourSuperSecretPassword
next
end
# principal is the same as used in General Config, with DNS name of FGT as fgt.test.local
config user krb-keytab
edit "http_service"
set principal "HTTP/fgt.test.local@TEST.LOCAL"
set ldap-server "W2012"
set keytab "BQIAAAA5AAIAClRFU1QuTE9DQUwABEhUVFAADmZndC50ZXN0LmxvY2FsAAAAAQAAAAAEAAEACINPyDLWnrz0AAAAOQACAApURVNULkxPQ0FMAARIVFRQAA5mZ3QudGVzdC5sb2NhbAAAAAEAAAAABAADAAiDT8gy1p689AAAAEEAAgAKVEVTVC5MT0NBTAAESFRUUAAOZmd0LnRlc3QubG9jYWwAAAABAAAAAAQAFwAQvDI09BpOueOpLqgKZYV7cwAAAFEAAgAKVEVTVC5MT0NBTAAESFRUUAAOZmd0LnRlc3QubG9jYWwAAAABAAAAAAQAEgAg3Lrdi7/EeMQPyLxeNJI6k7V1R+HPPdRk9ayWxNKITcYAAABBAAIAClRFU1QuTE9DQUwABEhUVFAADmZndC50ZXN0LmxvY2FsAAAAAQAAAAAEABEAEDurSCpkwsFpVoOI+hfMzRk="
next
end
# user group used for authentication, uses same LDAP and match 2 AD groups - 'Domain Users' and 'testgroup'
config user group
edit "testgroup"
set member "W2012"
config match
edit 1
set server-name "W2012"
set group-name "CN=Domain Users,CN=Users,DC=test,DC=local"
next
edit 2
set server-name "W2012"
set group-name "CN=testgroup,CN=Users,DC=test,DC=local"
next
end
next
end
Above groups are then used in policies.
Client Workstation
Once the user logs to workstation which Is domain member he should have some Kerberos tokens listed in klist command output.
If explicit proxy is used/set on FGT, then set proxy in browser.
Open some page, get HTTP 407 Proxy Authentication Required, with Negotiate as method.
Workstation should know KRBTGT and request ticket from KDC with krb-tgs-req. Includes realm TEST.LOCAL in req-body, and instatnces SNAME and service as HTTP/fgt.test.local
KDC should respond with KRB-TGS-REP and since then ticket should be present on client
Klist example
#2> Client: test @ test.local
Server: HTTP/fgt.test.local @ TEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 12/6/2016 14:59:45 (local)
End Time: 12/7/2016 0:58:04 (local)
Renew Time: 12/13/2016 14:58:04 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Quite nice guide is on Docs site, including example how to generate and put to CLI, even with parts on how to generate it on Windows server - https://docs.fortinet.com/document/fortigate/6.0.0/handbook/926128/kerberos
(something like second result I got on Docs.fortinet.com site for keywords "explicit proxy kerberos")
AFAIR that help/cookbook or very similar one did work for me in the past (above outputs are from my working setup test notes).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thanks for your help Tom,issue is solved
I have understood now that base64 file should be only 1 line length.
Added recursive research on my DC and set pac-data disable solved all my issues. BTW, CLI return clear error messages compare to the web admin page.
Again many thanks !!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.