Skip to Content

How to configure Kerberos Authentication for Windows with FortiProxy

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to configure Kerberos Authentication with FortiProxy.

Scope

Microsoft Windows Server 2016 and FortiProxy v7.4.2.

Solution

Step 1: Create DNS A Record on Windows Server

  • Go to DNS Manager: select the Forward Lookup Zones.
  • New Host (A or AAAA)…
  • Name: Name of New Host. Example: fortiproxy.
  • FQDN: fortiproxy.<realm>. Example: fortiproxy.fortinettest.loc
  • IP address: IP address of the FortiProxy.

Step 2: Create two user accounts in the Windows domain:

  • User1: Normal User for testing or using the existing.
  • FortiProxy: Service Account (no special attributes or permissions, same as normal user.

The fortiproxy account stands for the FortiProxy, which provides the HTTP proxy service.

Step 3: Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (fortiproxy.fortinettest.loc):

On the Windows Server machine open the cmd and type: nslookup fortiproxy.fortinet.loc

Step 4: Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local host file:

  • Go to Windows Server.
  • Go to windows/system32/drivers/etc/hosts
  • Add the following line: <IP Address of FortiProxy> <FQDN of FortiProxy indicated on the Step 1.b.iii>

Step 5: Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption:

ktpass -princ HTTP://fortiproxy.fortinettest.loc>@FORTINETTEST.LOC -mapuser [email protected] -pass P@ssw0rd -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab

Breakdown:

  • princ HTTP:// < FQDN of FortiProxy indicated on the Step 1.b.iii>@ realm in CAPSLOCK example: FORTINETTEST.LOC
  • mapuser FQDN of the service user created in Step 2.b. Example [email protected]
  • password <password of the service user in plain text>
  • out <output file name>.keytab

Note: The output will be on keytab file is located on “C:\Users\Administrator\”

Step 6: Use base64 to convert the fpx.keytab file; the output is used for the FortiProxy keytab.

  • Go to Windows server and open cmd.
  • certutil – encode fpx.keytab <filename>.b64.
  • The output will be on keytab file is located on “C:\Users\Administrator\”
  • To convert it to one line:
  • Go to Windows server and open power shell as admin
  • Type the following: powershell -Command “(Get-Content fpx.b64) -join ” | Set-Content fpx.txt”

Step 7: Define the LDAP server:

GUI: Go to User & Authentication -> LDAP Servers and select ‘Create New’.

CLI:

config user ldap
edit "ldap" <----- Use for authorization.
set server "192.168.15.204" <----- LDAP server IP address; usually it is the same as the KDC server IP address.
set cnid "sAMAccountName"
set dn "dc=fortinettest,dc=loc"
set type regular
set username "fortiproxy" <----- Service User created on Step 2.b.
set password “P@ssw0rd” <----- Service User password created on Step 2.b.
next

Test Sample User1 for verification.

Note: On CLI edit the LDAP config and put the following.

set group-search-base "dc=fortinettest,dc=loc” <----- Add this line in CLI as this is not available on GUI. If it is not done this the keytab to the next step will not push through.

Step 8: Define the Kerberos server

GUI: Go to User & Authentication > Kerberos and select ‘Create New’.

Note: Save the Kerberos the Config without the Keytab.

Go to CLI:

config user krb-keytab
edit "http_service"
set principal "HTTP/[email protected]" <----- It should be same as the principal name used to generate the Kerberos keytab file.
set ldap-server "ldap" <----- The defined LDAP server for authorization on step 7.
set keytab <----- Paste the output in the Step 6.d.iii.

It is ok the system automatically encrypts the string Just leave it be

Step 9: Create the user group:

GUI: Go to User & Authentication > User Groups and select ‘Create New’.

On CLI:

config user group
edit "testgrp"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set logic-type or
set member "ldap"
config match
edit 1
set server-name "ldap"
set group-name "CN=Domain Users,CN=Users,DC=FORTINETTEST,DC=LOC"
next
end
next
end

Step 10: Define the domain controller

GUI Go to User & Authentication > Domain Controller and select ‘Create New’.

Step 11: Create the authentication scheme for Kerberos with NTLM fallback.

GUI: Go to Policy & Objects and select Create New > Authentication Scheme.

Step 12: Create the authentication rule

GUI: Go to Policy & Objects and select ‘Create New’ > Authentication Rule.

Step 13: Create the firewall policy with authentication for testgrp.

Note:

For Security Profiles, Select the profiles that may apply. To test that the user can authenticate to Kerberos:

  1. Use the default Kerberos Windows environment to set up a Windows client that supports Kerberos authentication.
  2. After logging on to Windows with the user name “user1”, use ‘klist’ command to view the Kerberos service tickets. The Kerberos service tickets indicate that Kerberos is set up and working correctly.
  3. Set up the explicit web proxy in the browser on the operating system by using FQDN=fortiproxy.fortinettest.loc port=8080.
  4. Use a web browser to visit a website through the web proxy. The klist command now shows the obtained Kerberos service ticket for HTTP/[email protected].

Note: For Kerberos authentication, specify the FQDN instead of the IP address.

On the FortiProxy, go to FortiView > Users or enter the diag wad user list. ‘negotiate’ or ‘NTLM’ as the authentication method are visible.