Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 5.4.1 CLI Reference
    5.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config user authentication-relay

    config user authentication-relay

    Use this command to configure the authentication relay, which includes Kerberos and HTTP basic SSO configurations.

    Syntax

    config user authentication-relay

    edit <authentication-relay name>

    set authorization HTTPError401 | always

    set delegation-type Kerberos | http-basic

    set kdc-ip <string> FQDN/ip of kdc

    set kdc-port <integer> the port number of kdc server

    set realm <string> realm (upper case)

    set domain-prefix-support enable/disable

    set domain-prefix <string> domain to prefix

    set delegator-account <string> KCD delegator principal

    set delegator-password <passwd> KCD delegator password

    set delegated-spn <string> KCD delegated service principal

    next

    end

    The following table describes parameters used for configuring authentication relay using Kerberos SSO.

    delegation-type

    Select Kerberos or HTTP Basic.

    Note: You MUST select Kerberos when configuring authentication relay for Kerberos SSO.
    authorization

    Can select HTTPError401 or always.

    After a client account authenticates successfully, FortiADC first sends the request to the server and waits for the server's response before performing authentication on its part.

    If HTTPErr401 is set, FortiADC will do the authentication only when it has received the 401 response. Furthermore, if the client requests for more information from the web after FortiADC has gotten the authentication service ticket, FortiADC will send the request without the ticket. FortiADC will send another request with the service ticket only when the server returns the 401 unauthorized response.

    When always is set, FortiADC always does the authentication no matter what response it receives from the server. If the client requests for more information from the web after FortiADC has gotten the Kerberos service ticket, FortiADC will always send the request with the service ticket.

    kdc-ip

    The KDC server IP address.
    kdc-port

    The port on which the KDC server listens for Kerberos authentication.
    realm

    The realm which supports Kerberos authentication.

    Note: You must use uppercase letters and ‘.’ in the string.
    delegated-spn

    The identification which shows the service running on the server.

    The SPN uses this format: HTTP/sharepoint.ft3.local@FT3.LOCAL

    Where

    • HTTP— Refers to the service running on the server.
    • The string between / and @ —Refers to the host, which supports regexp.
    • The string after @ — Refers to the realm that supports the service. It MUST be in upper-case letters.
    delegator-account

    The FortiADC proxy Kerberos authentication account.
    delegator-password

    The delegator account password.
    domain-prefix-support

    Domain prefix support:

    This is a switch to enable or disable the default domain prefix function.

    Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1

    When this option is enabled, the user can also successfully log in by only entering ‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.

    Domain prefix:

    The value will be added as the domain prefix when the switch above is enabled and when the user inputs the username without the domain.

    The value of this domain prefix MUST be a valid NetBIOS domain name.

    Example 1: Configure Kerberos authentication relay:

    config user authentication-relay

    edit "auth-relay-1"

    set kdc-ip 2.2.1.202

    set realm KFOR.COM

    set delegator-account test

    set delegator-password ENC

    set delegated-spn http/server11202.kfor.com@kfor.com

    next

    end

    Example 2: Configure HTTP-basic authentication relay:

    config user authentication-relay

    edit "auth-relay-2"

    set delegation-type http-basic

    set authorization always

    set domain-prefix-support enable

    set domain-prefix SSS

    next

    end

    Previous
    Next

    config user authentication-relay

    config user authentication-relay

    Use this command to configure the authentication relay, which includes Kerberos and HTTP basic SSO configurations.

    Syntax

    config user authentication-relay

    edit <authentication-relay name>

    set authorization HTTPError401 | always

    set delegation-type Kerberos | http-basic

    set kdc-ip <string> FQDN/ip of kdc

    set kdc-port <integer> the port number of kdc server

    set realm <string> realm (upper case)

    set domain-prefix-support enable/disable

    set domain-prefix <string> domain to prefix

    set delegator-account <string> KCD delegator principal

    set delegator-password <passwd> KCD delegator password

    set delegated-spn <string> KCD delegated service principal

    next

    end

    The following table describes parameters used for configuring authentication relay using Kerberos SSO.

    delegation-type

    Select Kerberos or HTTP Basic.

    Note: You MUST select Kerberos when configuring authentication relay for Kerberos SSO.
    authorization

    Can select HTTPError401 or always.

    After a client account authenticates successfully, FortiADC first sends the request to the server and waits for the server's response before performing authentication on its part.

    If HTTPErr401 is set, FortiADC will do the authentication only when it has received the 401 response. Furthermore, if the client requests for more information from the web after FortiADC has gotten the authentication service ticket, FortiADC will send the request without the ticket. FortiADC will send another request with the service ticket only when the server returns the 401 unauthorized response.

    When always is set, FortiADC always does the authentication no matter what response it receives from the server. If the client requests for more information from the web after FortiADC has gotten the Kerberos service ticket, FortiADC will always send the request with the service ticket.

    kdc-ip

    The KDC server IP address.
    kdc-port

    The port on which the KDC server listens for Kerberos authentication.
    realm

    The realm which supports Kerberos authentication.

    Note: You must use uppercase letters and ‘.’ in the string.
    delegated-spn

    The identification which shows the service running on the server.

    The SPN uses this format: HTTP/sharepoint.ft3.local@FT3.LOCAL

    Where

    • HTTP— Refers to the service running on the server.
    • The string between / and @ —Refers to the host, which supports regexp.
    • The string after @ — Refers to the realm that supports the service. It MUST be in upper-case letters.
    delegator-account

    The FortiADC proxy Kerberos authentication account.
    delegator-password

    The delegator account password.
    domain-prefix-support

    Domain prefix support:

    This is a switch to enable or disable the default domain prefix function.

    Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1

    When this option is enabled, the user can also successfully log in by only entering ‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.

    Domain prefix:

    The value will be added as the domain prefix when the switch above is enabled and when the user inputs the username without the domain.

    The value of this domain prefix MUST be a valid NetBIOS domain name.

    Example 1: Configure Kerberos authentication relay:

    config user authentication-relay

    edit "auth-relay-1"

    set kdc-ip 2.2.1.202

    set realm KFOR.COM

    set delegator-account test

    set delegator-password ENC

    set delegated-spn http/server11202.kfor.com@kfor.com

    next

    end

    Example 2: Configure HTTP-basic authentication relay:

    config user authentication-relay

    edit "auth-relay-2"

    set delegation-type http-basic

    set authorization always

    set domain-prefix-support enable

    set domain-prefix SSS

    next

    end

    Previous
    Next