Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

explicit proxy with ldap and kerberos authentication. Creating the keytab file.

Hi Good morning


We have a Fortigate 301E running V 6.2.3


I have setup explicit proxy and ldap user groups and the last thing i have to configure is the kerberos authentication scheme, i have tried to generate keytab file string as part of the config krb-keytab command but i get the error


The keytab is not valid for the principal:???.  ( principal redacted ) object check operator error, -651, discard the setting Command fail. Return code -651


I am assuming i have to get the keytab file then encode it, do i do this on the LDAP server ?


So create the keytab file on the ldap server

Base 64 encode it

download it into the fortigate

create the keytab file using the previously downloaded keytab file.


is that correct or can someone explain how i can generate this keytab file on the fortigate FW ?


Thanks for all your valud help


kind regards





New Contributor

Hello. Look at this guide - Section "1.4 Generate the Kerberos keytab". You can use your domain controlled to do this operation. Then you need to do base64 encoding (using any Unix machine or some online services) and delete all line feeds from it (using a text editor). Then use text from the keytab file as an argument in the keytab command on Fortigate.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors