Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sadhi_Jayz
New Contributor II

Kerberos in FortiGate for SSO

Hi All,

 

I need to configure my firewall to identify users using Kerberos for single sign on without an use of an explicit proxy. I was only able to find articles with Kerberos authentication with explicit proxy.

 

My Device : FG-401F

OS Version : 7.0.15

 

Thank you !...

 

1 Solution
Atul_S
Staff
Staff

Hi Sadhi,

 

You have to have a proxy feature enabled to help intercept the layer 7 handling for the Kerberos authentication since  Kerebros is a layer 7 protocol. You may resort to FSSO, local auth using Captive portal but if you want to leverage Kerberos then proxy feature has to be enabled and to my knowledge, this is vendor independent and its the way Kerberos requires the underlay mechanism. With the proxy only,  FortiGate can inspect and intercept the HTTP headers and negotiate the Kerberos ticket exchange. You may refer to the below docs to consider using transparent proxy in your device and RFC for a detailed read about Kerberos auth.

 

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/15908/transparent-proxy

 

https://datatracker.ietf.org/doc/html/rfc4120

 

 

Thanks,

Atul Srivastava

View solution in original post

2 REPLIES 2
Atul_S
Staff
Staff

Hi Sadhi,

 

You have to have a proxy feature enabled to help intercept the layer 7 handling for the Kerberos authentication since  Kerebros is a layer 7 protocol. You may resort to FSSO, local auth using Captive portal but if you want to leverage Kerberos then proxy feature has to be enabled and to my knowledge, this is vendor independent and its the way Kerberos requires the underlay mechanism. With the proxy only,  FortiGate can inspect and intercept the HTTP headers and negotiate the Kerberos ticket exchange. You may refer to the below docs to consider using transparent proxy in your device and RFC for a detailed read about Kerberos auth.

 

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/15908/transparent-proxy

 

https://datatracker.ietf.org/doc/html/rfc4120

 

 

Thanks,

Atul Srivastava
Sadhi_Jayz
New Contributor II

Thank You Atul. Information noted !..

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors