Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamie_P
New Contributor

Multi Domain / Forest Kerberos Authentication

Hi all,

 

Has anybody managed to get Kerberos authentication working in a multi-AD-domain or multi-forest environment who might be willing to help?

 

Using Fortigate 6.2 (happy to upgrade if necessary!), I have readily managed to get Kerberos working with the following setup:

 

- User account setup in root domain with keytab exported and imported into Fortigate

- Authentication scheme and rule setup for kerberos (and indeed can fall back to forms authentication if need be)

- Proxy Policies configured

- LDAP server and group setup and tested as authenticating successfully

 

Upon testing, all works well - 407 challenge is issued, user presents kerberos ticket, Fortigate accepts, matches group, correct policy applied - success!

 

The trouble comes when trying to authenticate users in another domain. I can setup an additional LDAP server entry pointing at a different domain controller - this can be tested as authenticating a user in the (in this case child) second domain successfully. When however the user tries to authenticate in this example, the Fortigate always (according to the debug trace) tries to authenticate the user against the first domain, even when the username is being set as the full UPN (user@child.parent.org). This of course fails, because the user isn't in the parent domain they are in the child one.

 

The problem is that I can't see anyway of making the Fortigate choose a different LDAP server entry based on the UPN of the user - it always just uses the first authentication rule / scheme.

 

I guess the question is - is there any way of 'filtering' what LDAP server is used for the Kerberos authentication?

 

Note that I'm not using FSSO, RSSO, NTLM or anything else - it's just a vanilla kerberos approach.

 

For transparency, I do know that I can change the LDAP server to use port 3268 for the Global Catalogue instead of 389. This then succeeds at the user authentication part, but introduces other problems in terms of group membership. The Global Catalogue only maintains membership of groups for 'local' domain users, not related domains - which means that the user has be put into a Universal AD group (now introducing a forest wide replication each time the membership changes). It's also no help for domains that aren't in the same forest.

 

I feel a bit like I'm going around in circles - this really ought to be possible shouldn't it?!

 

Thanks in advance for any assistance!

 

 

0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors