Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

fortiweb sso login problem with Satisy

Hello,

we have a Webserver at backend with following configuration:

Ubuntu 20.04

apache 2.4

PHP 7.4

Software GLPI

Kerberos SSO

If we unsing on windows pc the internal url (fqdn) from Webserver the user loged in automaticly.

Parameter Satisfy Any is disbaled in that case!

 

If we using external Fortiweb URL we enter user an password we get this Browser Message:

 

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

 

If we aktivate Satisfy Any in apache ssl config the login with external (over fortiweb) is woking after enter Credentials.

But with this configuration, the login with internal URL require a authentcation.

 

On Fortiweb we have as Site Publish rule this:

TBC_0-1645628461541.png

 

Can someone tell me what is wrong

many thanks for helping

1 Solution
ddsouza_FTNT

@TBC No problem :) HTTP Service Principal Name looks okay for me.  Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?

For example...

ddsouza_FTNT_0-1646146249728.png

If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .

View solution in original post

9 REPLIES 9
Anonymous
Not applicable

Hello @TBC ,

 

Thank you for posting to the Fortinet Community Forums. We appreciate your patience. We will have someone soon helping you with this query.

TBC

Hello,

i have find out how the configuration from apache needs to look to get it work:

<Location />
AuthType Kerberos
AuthName "SSO-Authentication"
KrbAuthRealms LOCAL.COM
KrbServiceName HTTP/FQDN
Krb5Keytab /etc/krb5_ssot.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Location>

 

With that one it works!

wrbgrds

TBC

 

ddsouza_FTNT

@TBC Judging from what I've seen so far in this post thread, Auth delegation is set to "Basic Authentication" in the Fortiweb site publish configuration whereas on the Apache it is set to Kerberos. Could you please switch the Authentication delegation type in the site publish configuration to "Kerberos" and set the "Delegated HTTP Service Principal Name" and see whether the issue still persists? 

TBC

Hello Denzil,

many thank's for your replay!

I have checke this also with KRB5 and SPENGO and Default Domain Prefix and SSO. In all that case the Backend WebServer ask for the credentials again and again.

With HTTP Basic, every thing is working.

My Delegated HTTP Service Principal Name looks like http/server-fqdn@DOMAIN.COM

 

wrbrgds

TBC

ddsouza_FTNT

@TBC No problem :) HTTP Service Principal Name looks okay for me.  Could you please make sure 'Delegated Realm' in the KDC server configuration is defined in Capital letters?

For example...

ddsouza_FTNT_0-1646146249728.png

If it is defined in upper case and the issue still persists, then run a capture for port 88 traffic on Fortiweb. When user sends an HTTP request containing the site publish cookie (cookiesession3) after successful authentication against site publish Fortiweb initiates Kerberos communication with the KDC server. Let's verify the status of this Kerberos communication .

TBC

OK i have find out that I have to learn many more things with our new fortweb!

I didn't know that I need to configure the KDC Server. On our Old WAF-System that one was much easier :-).

TBC_0-1646227016176.png

 

Could you pls. explain to me if that solution from yours are better than my one or is that just the right way?

Sorry for my quiestions but Fortweb is quit new for me and I learn every day much new think's about that!

 

many thank's

TBC

 

ddsouza_FTNT

@TBC No problem. I am also learning this product every day, and I come across something new every time :)

your Site publish Configuration in the screenshot looks fine, but still, you need to configure the KDC server part. Without it configured, FWB can't initiate Kerberos packets AS-Req to the KDC server.

 

 

 

TBC

Hello Denzil,

that one i did yesterday and that one was the problem because i didn't had that before.

Now with this configuration it work's!

TBC_0-1646312223830.png

 

Many many thnak's for your help!

TBC

ddsouza_FTNT
Staff
Staff

@TBC No problem. Perfect! Glad to know that the issue has been resolved :) 

Labels
Top Kudoed Authors