Using Kerberos authentication with a web portal for a transparent-proxy deployment

This example shows how to configure Kerberos authentication with a web portal when the FortiProxy unit is acting as a transparent web proxy. You can either use Kerberos IP-based authentication or Kerberos session-based authentication.

Step 1: Configure the Kerberos (Windows) server

1. From the key distribution center (KDC) on the Windows 2012 platform, set the domain (realm) name in the Windows server, for example, FPXLAB3.LOCAL.

2. Create two user accounts in the Windows domain. In this example, the users are “user1” and “fpx33”. user1 is a normal user, and fpx33 is the service account for the FortiProxy unit (fpx33.fpxlab3.local).

3. Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (testfpx.test.com).

4. Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local hosts file (for example, in windows/system32/drivers/etc/hosts, add fpx33.fpxlab3.local and 10.150.0.33).

5. Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption. For example:

   ktpass -princ HTTP://fpx33.fpxlab3.local@FPXLAB3.LOCAL -mapuser fpx33 -pass qazWSX123 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx33.keytab

6. Use base64 to convert the fpx33.keytab file; the output is used for the FortiProxy keytab. For example:

   base64 fpx33.keytab > fpx33.txt

Step 2: Configure the Windows client

If you are using Internet Explorer:

1. Open Internet Explorer.

2. Go to Tools > Internet Options > Security > Local intranet > Sites > Advanced.

3. In the Add this website to the zone field, enter the base URL for the appliance and then click Add.

   In this configuration example, the URL is .fpxlab3.local.

4. Click Close and then click OK.

5. Go to Tools > Internet Options > Advanced.

6. In the Security section, verify that Enable Integrated Windows Authentication is selected and then click OK.

7. Restart the browser.

If you are using Mozilla Firefox:

1. In the URL field, enter about:config.

2. In the Filter field, enter network.n.

3. Double-click network.negotiate-auth.trusted-uris.

   This dialog box lists the sites that are permitted to engage in SPNEGO authentication with the browser.

4. Enter a comma-delimited list of trusted domains or URLs. For this example configuration, add .fpxlab3.local to the list.

5. Click OK and then restart your browser.

Step 3: Configure the FortiProxy unit

1. Create the authentication rule.

   config authentication rule

   edit "http_krb"

   set srcintf "any"

   set srcaddr "all"

   set dstaddr "all"

   set ip-based disable

   set active-auth-method "krb"

   set web-auth-cookie enable

   next

   end

2. Define Kerberos as an authentication service.

   config user krb-keytab

   edit "fpxlab3"

   set principal "HTTP/FPX33.FPXLAB3.LOCAL@FPXLAB3.LOCAL"

   set ldap-server "fpxlab3"

   set keytab "ENC U5bNbeM+po9/imlGJEQRvvA3urWNvZGejCxEjHGDuUvwqeh48fVwGcO1QZXJuimKqt50a9/K3A+dLW5Upu8I2h9j+lDdjzAV60qiSbxUYkKlTwfqiTvhZgB6T9BNvG+x/c8QPX1/CEiDSmq9eXBwZ6wKDGevbYXxWjjUX4Zyf7lQ6RjvYuwkKPYLKO2AvNnV6IELNrg5cVn8L0kcQSQkj4lYfLtGQIuiEW186kBTrqExx/Ex8t9DQZHbca8S9UJSGNfaT+Ud0wgEtWicx0OnbOCLFRvcxa625trGHRMYyyaXWkKv7FhApqYicgUL1dVlf7SJX6ziLeYjxCj95b78akBtlXIiIp/8BQh6ayfe1Q1KolC044w0HgoRBTcYUTXKsDj28/QFKV7nJVzEKpPl+lyaF5KEYDytNtDgHOIl2uvLrxmLGXMtgOzzDCtAU3IG/p354gKswI4/KL1VqBP0vSpCRbSdrZt4o5gz8ckoOk8xgCRF/FI1LF/b2GqtAI557K2B9mj+MEFIgF997jLpJSLEqj/5ris8u7gGi/NP6SYb56ME9GeZilgPQ8OIdC/a1DzUOQXYjUmc8yMGc5M8uHe2+DRKyvbqf+vKitPcLHMIw96VSA0U4vhXfavx0nG279DiKl1deD4ZbrsnYhc1uiheKmiHjwBkenM+DglpESyMse0yHRT6QN4OJ88="

   next

   end

3. Create the authentication scheme.

   config authentication scheme

   edit "krb"

   set method negotiate

   set negotiate-ntlm disable

   set kerberos-keytab "fpxlab3"

   next

   end

4. Enable the captive portal on the interface.

   config system interface

   edit "port4”

   set proxy-portal enable

   next

   end

5. Create a firewall address.

   config firewall address

   edit "fpx33.fpxlab3.local"

   set type fqdn

   set fqdn "fpx33.fpxlab3.local"

   next

   end

6. Configure the DNS database.

   config system dns-database

   edit "fpxlab3.local"

   set domain "fpxlab3.local"

   config dns-entry

   edit 1

   set hostname "fpx33"

   set ip 10.150.0.33

   next

   end

   next

   end

7. Configure authentication to use the captive portal.

   config authentication setting

   set captive-portal "fpx33.fpxlab3.local"

   end

8. Configure the captive portal and the captive portal port in the transparent web proxy to support Kerberos authentication.

   config authentication setting

   set captive-portal "fpx33.fpxlab3.local"

   set captive-portal-port 7830

   set captive-portal-type fqdn

   set auth-https enable

   set captive-portal-ssl-port 7831

   end

9. Configure the LDAP server.

   config user ldap

   edit "fpxlab3"

   set server "10.150.0.203"

   set cnid "cn"

   set dn "DC=FPXLAB3,DC=local"

   set type regular

   set username "CN=fpxqa,CN=Users,DC=fpxlab3,DC=local"

   set password ENC wN13Eb1FcOb3RchTj4IiPIN3MZJ0dieAzdKWOeql4tUtuXmRHoM0aKNmA4maJsDECkYDVWcBteM11KXpXN+I7J6tRuNZKoItR9vmX217faNbGcjF35C2AjviQ7RhHluWciCYj0SMlg6p9Q65MpLhd2Wpns5NAB6CLgbdtRA3UOt7L7z6yUf+s4R1ZpThuZgx+fL7Bg==

   next

   end

10. Create one or more user groups.

    config user group

    edit "grp_ldap_lab3_devqa"

    set member "fpxlab3"

    config match

    edit 1

    set server-name "fpxlab3"

    set group-name "CN=DEVQA,CN=Users,DC=FPXLAB3,DC=local"

    next

    end

    next

    end

11. Create the firewall policy.

    config firewall policy

    edit 7

    set srcintf "any"

    set dstintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL_TCP"

    set groups "grp_ldap_lab3_devqa"

    set utm-status enable

    set profile-protocol-options "default"

    set ssl-ssh-profile "deep-inspection"

    set av-profile "default"

    next

    end

Step 4: Configure Kerberos authentication

You can configure either Kerberos IP-based authetication or Kerberos session-based authentication:

• Kerberos IP-based authentication

  With IP-based authentication on the portal, the Kerberos service authenticates against the portal but not the actual destinations. After the FortiProxy unit is authenticated on the portal, the FortiProxy unit can retrieve user information based on the client source IP address. The FortiProxy unit does not need to challenge the client for each transaction.

• Kerberos session-based authentication with cookies enabled on the web portal

  When IP-based authentication is not feasible (for example, when the client is behind a SNAT gateway from the FortiProxy unit), the FortiProxy unit must use session-based authentication instead. Session-based authentication requires every new session to be authenticated using the web portal. When the web-auth-cookie feature is enabled, the cookie header is added to the request header when the client request is redirected to the portal for authentication. The portal can fetch the user information based on the given cookie directly if the client has already been authenticated with the portal.

To configure IP-based Kerberos authentication:

config authentication rule

edit "http_krb"

set srcintf "any"

set srcaddr "all"

set dstaddr "all"

set ip-based enable

set active-auth-method "krb"

next

end

To configure Kerberos session-based authentication:

NOTE: The configuration is the same as for IP-based authentication, except that ip-based is disabled in the authentication rule.

config authentication rule

edit "http_krb"

set srcintf "any"

set srcaddr "all"

set dstaddr "all"

set ip-based disable

set active-auth-method "krb"

set web-auth-cookie enable

next

end