A FortiOS 7.4.1 document outlines how to use a kdc proxy server to help get znta access to smb file shares. Has anyone successfully built this and got it to work? If so, I'd like to compare notes to see what I might be missing with this setup.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello bmduncan33 ,
Thank you for reaching out.
I did go through: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/553746/ztna-access-proxy-wit...
This looks like just another regular TCP Forwarding on the FortiGate ZTNA side.
It should work if the KDC service is configured correctly on the client and server.
Also, you are more than welcome to open a support ticket if things don't work as expected.
Thank you!
Hi ,
Is it working for you now?
No sir. The kdc proxy, while it may seem trivial, isn't for me. I was able to build the proxy server on my network, but was never able to get a successful connection from my remote laptop. The command you have to run to test it is 'klist get krbtgt'. If I perform that from an on-prem host it works like a champ. Now what is interesting is that I would have expected that command to work on a remote laptop connected via sslvpn - but it doesn't. Which begs the question - how am I able to connect to mapped drives using smb and hostnames when kerberos tickets are not present on the laptop. This has taken me hours of investigating and I am pretty much resigned to focusing on getting smb access to mapped drives using IP addresses. That mechanism apparently only relies on NTLM and not Kerberos.
Also, please note that the kdc proxy acting on it's own outside of remote desktop services, and one other MS service, is not a solution explicitly supported by Microsoft. So it's not like I can open a ticket with them on this functionality.
Just a note on this old thread, if you're having issues getting the kdc proxy to show up, it will only do so when you're offnet and no direct line of sight to the DC. If it doesn't show up, you'll want to check 1) url is correct, 2) common name of the certificate matches the fqdn of the proxy, 3) if you have a CRL it must be published to the internet, or disable revocation checking - i wouldn't recommend this 4) use a cert from a third party rather than your CA.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.