Hello,
we have a Webserver at backend with following configuration:
Ubuntu 20.04
apache 2.4
PHP 7.4
Software GLPI
Kerberos SSO
If we unsing on windows pc the internal url (fqdn) from Webserver the user loged in automaticly.
Parameter Satisfy Any is disbaled in that case!
If we using external Fortiweb URL we enter user an password we get this Browser Message:
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
If we aktivate Satisfy Any in apache ssl config the login with external (over fortiweb) is woking after enter Credentials.
But with this configuration, the login with internal URL require a authentcation.
On Fortiweb we have as Site Publish rule this:
Can someone tell me what is wrong
many thanks for helping
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@TBC No problem :) HTTP Service Principal Name looks okay for me. Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?
For example...
If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .
Created on 02-25-2022 06:24 PM
Hello @TBC ,
Thank you for posting to the Fortinet Community Forums. We appreciate your patience. We will have someone soon helping you with this query.
Created on 02-28-2022 01:02 AM Edited on 02-28-2022 01:04 AM
Hello,
i have find out how the configuration from apache needs to look to get it work:
<Location />
AuthType Kerberos
AuthName "SSO-Authentication"
KrbAuthRealms LOCAL.COM
KrbServiceName HTTP/FQDN
Krb5Keytab /etc/krb5_ssot.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Location>
With that one it works!
wrbgrds
TBC
@TBC Judging from what I've seen so far in this post thread, Auth delegation is set to "Basic Authentication" in the Fortiweb site publish configuration whereas on the Apache it is set to Kerberos. Could you please switch the Authentication delegation type in the site publish configuration to "Kerberos" and set the "Delegated HTTP Service Principal Name" and see whether the issue still persists?
Hello Denzil,
many thank's for your replay!
I have checke this also with KRB5 and SPENGO and Default Domain Prefix and SSO. In all that case the Backend WebServer ask for the credentials again and again.
With HTTP Basic, every thing is working.
My Delegated HTTP Service Principal Name looks like http/server-fqdn@DOMAIN.COM
wrbrgds
TBC
@TBC No problem :) HTTP Service Principal Name looks okay for me. Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?
For example...
If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .
Created on 03-02-2022 05:15 AM Edited on 03-02-2022 05:17 AM
OK i have find out that I have to learn many more things with our new fortweb!
I didn't know that I need to configure the KDC Server. On our Old WAF-System that one was much easier :-).
Could you pls. explain to me if that solution from yours are better than my one or is that just the right way?
Sorry for my quiestions but Fortweb is quit new for me and I learn every day much new think's about that!
many thank's
TBC
@TBC No problem. I am also learning this product every day, and I come across something new every time :)
your Site publish Configuration in the screenshot looks fine, but still, you need to configure the KDC server part. Without it configured, FWB can't initiate Kerberos packets AS-Req to the KDC server.
Hello Denzil,
that one i did yesterday and that one was the problem because i didn't had that before.
Now with this configuration it work's!
Many many thnak's for your help!
TBC
@TBC No problem. Perfect! Glad to know that the issue has been resolved :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.