Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmduncan33
New Contributor II

ZTNA SMB TCP Forwarding using KDC Proxy

A FortiOS 7.4.1 document outlines how to use a kdc proxy server to help get znta access to smb file shares.  Has anyone successfully built this and got it to work?  If so, I'd like to compare notes to see what I might be missing with this setup.

4 REPLIES 4
lgupta
Staff
Staff

Hello bmduncan33 ,

Thank you for reaching out.


I did go through: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/553746/ztna-access-proxy-wit...

This looks like just another regular TCP Forwarding on the FortiGate ZTNA side.
It should work if the KDC service is configured correctly on the client and server.

Also, you are more than welcome to open a support ticket if things don't work as expected.

 

Thank you!

Best regards,

-lgupta



If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
nsgill
New Contributor

Hi ,

Is it working for you now? 

bmduncan33
New Contributor II

No sir.  The kdc proxy, while it may seem trivial, isn't for me.  I was able to build the proxy server on my network, but was never able to get a successful connection from my remote laptop.  The command you have to run to test it is 'klist get krbtgt'.  If I perform that from an on-prem host it works like a champ.  Now what is interesting is that I would have expected that command to work on a remote laptop connected via sslvpn - but it doesn't.  Which begs the question - how am I able to connect to mapped drives using smb and hostnames when kerberos tickets are not present on the laptop.  This has taken me hours of investigating and I am pretty much resigned to focusing on getting smb access to mapped drives using IP addresses.  That mechanism apparently only relies on NTLM and not Kerberos.  

 

Also, please note that the kdc proxy acting on it's own outside of remote desktop services, and one other MS service, is not a solution explicitly supported by Microsoft.  So it's not like I can open a ticket with them on this functionality.

76maverick
New Contributor II

Just a note on this old thread, if you're having issues getting the kdc proxy to show up, it will only do so when you're offnet and no direct line of sight to the DC. If it doesn't show up, you'll want to check 1) url is correct, 2) common name of the certificate matches the fqdn of the proxy, 3) if you have a CRL it must be published to the internet, or disable revocation checking - i wouldn't recommend this 4) use a cert from a third party rather than your CA.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors