This article describes a working WAD debug flow for Kerberos authentication as an authentication method.
Solution
In this scenario, the FortiProxy has enforced to challenge the client browser with Kerberos as an authentication method.
Kerberos Authentication Flow:
The following command can be used to capture and save the WAD debug outputs:
# diag wad filter src <IP address>
# diag wad debug enable category auth
# diag wad debug enable category policy
# diag wad debug enable level verbose
# diag debug application fnbamd -1
# diag debug enableExample of debugging outputs.
Step 1: Client browser sends an HTTP/1.1 connect method request toward the destination URL.
Step 2: The connection request was interrupted by FortiProxy to challenge an HTTP/1.1 407 proxy authentication required with negotiate (Kerberos) authentication as a preferred method.
Step 3: Client browser responds to connect method request with a Kerberos service ticket (TGT) provided.
Step 4: Fortiproxy to decipher the client Kerberos service ticket (TGT) with configured keytab to extract the user name used for LDAP query.
Step 5: FortiProxy to perform a proper lookup against the LDAP server for user and group membership matching.
Step 6: Authentication result showed success, the Fortiproxy allowed destination website access with an HTTP/1.1 200 OK.
