Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

Created on ‎02-23-2022 07:09 AM

fortiweb sso login problem with Satisy

Hello,

we have a Webserver at backend with following configuration:

Ubuntu 20.04

apache 2.4

PHP 7.4

Software GLPI

Kerberos SSO

If we unsing on windows pc the internal url (fqdn) from Webserver the user loged in automaticly.

Parameter Satisfy Any is disbaled in that case!

 

If we using external Fortiweb URL we enter user an password we get this Browser Message:

 

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

 

If we aktivate Satisfy Any in apache ssl config the login with external (over fortiweb) is woking after enter Credentials.

But with this configuration, the login with internal URL require a authentcation.

 

On Fortiweb we have as Site Publish rule this:

TBC_0-1645628461541.png

 

Can someone tell me what is wrong

many thanks for helping

Labels:
4223
0 Kudos
1 Solution
ddsouza_FTNT
Staff
Staff
In response to TBC

Created on ‎03-01-2022 06:56 AM

@TBC No problem :) HTTP Service Principal Name looks okay for me.  Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?

For example...

ddsouza_FTNT_0-1646146249728.png

If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .

View solution in original post

4159
0 Kudos
9 REPLIES 9
Anonymous
Not applicable

Created on ‎02-25-2022 06:24 PM

Hello @TBC ,

 

Thank you for posting to the Fortinet Community Forums. We appreciate your patience. We will have someone soon helping you with this query.

4159
0 Kudos
TBC
Contributor
In response to Anonymous

Created on ‎02-28-2022 01:02 AM Edited on ‎02-28-2022 01:04 AM

Hello,

i have find out how the configuration from apache needs to look to get it work:

<Location />
AuthType Kerberos
AuthName "SSO-Authentication"
KrbAuthRealms LOCAL.COM
KrbServiceName HTTP/FQDN
Krb5Keytab /etc/krb5_ssot.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Location>

 

With that one it works!

wrbgrds

TBC

 

4153
0 Kudos
ddsouza_FTNT
Staff
Staff
In response to TBC

Created on ‎03-01-2022 02:24 AM

@TBC Judging from what I've seen so far in this post thread, Auth delegation is set to "Basic Authentication" in the Fortiweb site publish configuration whereas on the Apache it is set to Kerberos. Could you please switch the Authentication delegation type in the site publish configuration to "Kerberos" and set the "Delegated HTTP Service Principal Name" and see whether the issue still persists? 

4134
0 Kudos
TBC
Contributor
In response to ddsouza_FTNT

Created on ‎03-01-2022 03:34 AM

Hello Denzil,

many thank's for your replay!

I have checke this also with KRB5 and SPENGO and Default Domain Prefix and SSO. In all that case the Backend WebServer ask for the credentials again and again.

With HTTP Basic, every thing is working.

My Delegated HTTP Service Principal Name looks like http/server-fqdn@DOMAIN.COM

 

wrbrgds

TBC

4125
0 Kudos
ddsouza_FTNT
Staff
Staff
In response to TBC

Created on ‎03-01-2022 06:56 AM

@TBC No problem :) HTTP Service Principal Name looks okay for me.  Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?

For example...

ddsouza_FTNT_0-1646146249728.png

If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .

4160
0 Kudos
TBC
Contributor
In response to ddsouza_FTNT

Created on ‎03-02-2022 05:15 AM Edited on ‎03-02-2022 05:17 AM

OK i have find out that I have to learn many more things with our new fortweb!

I didn't know that I need to configure the KDC Server. On our Old WAF-System that one was much easier :-).

TBC_0-1646227016176.png

 

Could you pls. explain to me if that solution from yours are better than my one or is that just the right way?

Sorry for my quiestions but Fortweb is quit new for me and I learn every day much new think's about that!

 

many thank's

TBC

 

4107
0 Kudos
ddsouza_FTNT
Staff
Staff
In response to TBC

Created on ‎03-02-2022 08:48 AM

@TBC No problem. I am also learning this product every day, and I come across something new every time :)

your Site publish Configuration in the screenshot looks fine, but still, you need to configure the KDC server part. Without it configured, FWB can't initiate Kerberos packets AS-Req to the KDC server.

 

 

 

4098
0 Kudos
TBC
Contributor
In response to ddsouza_FTNT

Created on ‎03-03-2022 04:57 AM

Hello Denzil,

that one i did yesterday and that one was the problem because i didn't had that before.

Now with this configuration it work's!

TBC_0-1646312223830.png

 

Many many thnak's for your help!

TBC

4082
0 Kudos
ddsouza_FTNT
Staff
Staff

Created on ‎03-03-2022 06:24 AM

@TBC No problem. Perfect! Glad to know that the issue has been resolved :) 

4074
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.