Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiProxy Authentication Guide

    Home FortiProxy 7.6.0 FortiProxy Authentication Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    2.0.2

    Using Kerberos authentication with a web portal for a transparent-proxy deployment

    Using Kerberos authentication with a web portal for a transparent-proxy deployment

    This example shows how to configure Kerberos authentication with a web portal when the FortiProxy unit is acting as a transparent web proxy. You can either use Kerberos IP-based authentication or Kerberos session-based authentication.

    Step 1: Configure the Kerberos (Windows) server

    1. From the key distribution center (KDC) on the Windows 2012 platform, set the domain (realm) name in the Windows server, for example, FPXLAB3.LOCAL.

    2. Create two user accounts in the Windows domain. In this example, the users are “user1” and “fpx33”. user1 is a normal user, and fpx33 is the service account for the FortiProxy unit (fpx33.fpxlab3.local).

    3. Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (testfpx.test.com).

    4. Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local hosts file (for example, in windows/system32/drivers/etc/hosts, add fpx33.fpxlab3.local and 10.150.0.33).

    5. Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption. For example:

      ktpass -princ HTTP://fpx33.fpxlab3.local@FPXLAB3.LOCAL -mapuser fpx33 -pass qazWSX123 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx33.keytab

    6. Use base64 to convert the fpx33.keytab file; the output is used for the FortiProxy keytab. For example:

      base64 fpx33.keytab > fpx33.txt

    Step 2: Configure the Windows client

    If you are using Internet Explorer:

    1. Open Internet Explorer.

    2. Go to Tools > Internet Options > Security > Local intranet > Sites > Advanced.

    3. In the Add this website to the zone field, enter the base URL for the appliance and then click Add.

      In this configuration example, the URL is .fpxlab3.local.

    4. Click Close and then click OK.

    5. Go to Tools > Internet Options > Advanced.

    6. In the Security section, verify that Enable Integrated Windows Authentication is selected and then click OK.

    7. Restart the browser.

    If you are using Mozilla Firefox:

    1. In the URL field, enter about:config.

    2. In the Filter field, enter network.n.

    3. Double-click network.negotiate-auth.trusted-uris.

      This dialog box lists the sites that are permitted to engage in SPNEGO authentication with the browser.

    4. Enter a comma-delimited list of trusted domains or URLs. For this example configuration, add .fpxlab3.local to the list.

    5. Click OK and then restart your browser.

    Step 3: Configure the FortiProxy unit

    1. Create the authentication rule.

      config authentication rule

      edit "http_krb"

      set srcintf "any"

      set srcaddr "all"

      set dstaddr "all"

      set ip-based disable

      set active-auth-method "krb"

      set web-auth-cookie enable

      next

      end

    2. Define Kerberos as an authentication service.

      config user krb-keytab

      edit "fpxlab3"

      set principal "HTTP/FPX33.FPXLAB3.LOCAL@FPXLAB3.LOCAL"

      set ldap-server "fpxlab3"

      set keytab "ENC U5bNbeM+po9/imlGJEQRvvA3urWNvZGejCxEjHGDuUvwqeh48fVwGcO1QZXJuimKqt50a9/K3A+dLW5Upu8I2h9j+lDdjzAV60qiSbxUYkKlTwfqiTvhZgB6T9BNvG+x/c8QPX1/CEiDSmq9eXBwZ6wKDGevbYXxWjjUX4Zyf7lQ6RjvYuwkKPYLKO2AvNnV6IELNrg5cVn8L0kcQSQkj4lYfLtGQIuiEW186kBTrqExx/Ex8t9DQZHbca8S9UJSGNfaT+Ud0wgEtWicx0OnbOCLFRvcxa625trGHRMYyyaXWkKv7FhApqYicgUL1dVlf7SJX6ziLeYjxCj95b78akBtlXIiIp/8BQh6ayfe1Q1KolC044w0HgoRBTcYUTXKsDj28/QFKV7nJVzEKpPl+lyaF5KEYDytNtDgHOIl2uvLrxmLGXMtgOzzDCtAU3IG/p354gKswI4/KL1VqBP0vSpCRbSdrZt4o5gz8ckoOk8xgCRF/FI1LF/b2GqtAI557K2B9mj+MEFIgF997jLpJSLEqj/5ris8u7gGi/NP6SYb56ME9GeZilgPQ8OIdC/a1DzUOQXYjUmc8yMGc5M8uHe2+DRKyvbqf+vKitPcLHMIw96VSA0U4vhXfavx0nG279DiKl1deD4ZbrsnYhc1uiheKmiHjwBkenM+DglpESyMse0yHRT6QN4OJ88="

      next

      end

    3. Create the authentication scheme.

      config authentication scheme

      edit "krb"

      set method negotiate

      set negotiate-ntlm disable

      set kerberos-keytab "fpxlab3"

      next

      end

    4. Enable the captive portal on the interface.

      config system interface

      edit "port4”

      set proxy-captive-portal enable

      next

      end

    5. Create a firewall address.

      config firewall address

      edit "fpx33.fpxlab3.local"

      set type fqdn

      set fqdn "fpx33.fpxlab3.local"

      next

      end

    6. Configure the DNS database.

      config system dns-database

      edit "fpxlab3.local"

      set domain "fpxlab3.local"

      config dns-entry

      edit 1

      set hostname "fpx33"

      set ip 10.150.0.33

      next

      end

      next

      end

    7. Configure authentication to use the captive portal.

      config authentication setting

      set captive-portal "fpx33.fpxlab3.local"

      end

    8. Configure the captive portal and the captive portal port in the transparent web proxy to support Kerberos authentication.

      config authentication setting

      set captive-portal "fpx33.fpxlab3.local"

      set captive-portal-port 7830

      set captive-portal-type fqdn

      set auth-https enable

      set captive-portal-ssl-port 7831

      end

    9. Configure the LDAP server.

      config user ldap

      edit "fpxlab3"

      set server "10.150.0.203"

      set cnid "cn"

      set dn "DC=FPXLAB3,DC=local"

      set type regular

      set username "CN=fpxqa,CN=Users,DC=fpxlab3,DC=local"

      set password ENC wN13Eb1FcOb3RchTj4IiPIN3MZJ0dieAzdKWOeql4tUtuXmRHoM0aKNmA4maJsDECkYDVWcBteM11KXpXN+I7J6tRuNZKoItR9vmX217faNbGcjF35C2AjviQ7RhHluWciCYj0SMlg6p9Q65MpLhd2Wpns5NAB6CLgbdtRA3UOt7L7z6yUf+s4R1ZpThuZgx+fL7Bg==

      next

      end

    10. Create one or more user groups.

      config user group

      edit "grp_ldap_lab3_devqa"

      set member "fpxlab3"

      config match

      edit 1

      set server-name "fpxlab3"

      set group-name "CN=DEVQA,CN=Users,DC=FPXLAB3,DC=local"

      next

      end

      next

      end

    11. Create the firewall policy.

      config firewall policy

      edit 7

      set srcintf "any"

      set dstintf "any"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL_TCP"

      set groups "grp_ldap_lab3_devqa"

      set utm-status enable

      set profile-protocol-options "default"

      set ssl-ssh-profile "deep-inspection"

      set av-profile "default"

      next

      end

    Step 4: Configure Kerberos authentication

    You can configure either Kerberos IP-based authetication or Kerberos session-based authentication:

    • Kerberos IP-based authentication

      With IP-based authentication on the portal, the Kerberos service authenticates against the portal but not the actual destinations. After the FortiProxy unit is authenticated on the portal, the FortiProxy unit can retrieve user information based on the client source IP address. The FortiProxy unit does not need to challenge the client for each transaction.

    • Kerberos session-based authentication with cookies enabled on the web portal

      When IP-based authentication is not feasible (for example, when the client is behind a SNAT gateway from the FortiProxy unit), the FortiProxy unit must use session-based authentication instead. Session-based authentication requires every new session to be authenticated using the web portal. When the web-auth-cookie feature is enabled, the cookie header is added to the request header when the client request is redirected to the portal for authentication. The portal can fetch the user information based on the given cookie directly if the client has already been authenticated with the portal.

    To configure IP-based Kerberos authentication:

    config authentication rule

    edit "http_krb"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set ip-based enable

    set active-auth-method "krb"

    next

    end

    To configure Kerberos session-based authentication:

    NOTE: The configuration is the same as for IP-based authentication, except that ip-based is disabled in the authentication rule.

    config authentication rule

    edit "http_krb"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set ip-based disable

    set active-auth-method "krb"

    set web-auth-cookie enable

    next

    end

    Previous
    Next

    Using Kerberos authentication with a web portal for a transparent-proxy deployment

    Using Kerberos authentication with a web portal for a transparent-proxy deployment

    This example shows how to configure Kerberos authentication with a web portal when the FortiProxy unit is acting as a transparent web proxy. You can either use Kerberos IP-based authentication or Kerberos session-based authentication.

    Step 1: Configure the Kerberos (Windows) server

    1. From the key distribution center (KDC) on the Windows 2012 platform, set the domain (realm) name in the Windows server, for example, FPXLAB3.LOCAL.

    2. Create two user accounts in the Windows domain. In this example, the users are “user1” and “fpx33”. user1 is a normal user, and fpx33 is the service account for the FortiProxy unit (fpx33.fpxlab3.local).

    3. Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (testfpx.test.com).

    4. Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local hosts file (for example, in windows/system32/drivers/etc/hosts, add fpx33.fpxlab3.local and 10.150.0.33).

    5. Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption. For example:

      ktpass -princ HTTP://fpx33.fpxlab3.local@FPXLAB3.LOCAL -mapuser fpx33 -pass qazWSX123 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx33.keytab

    6. Use base64 to convert the fpx33.keytab file; the output is used for the FortiProxy keytab. For example:

      base64 fpx33.keytab > fpx33.txt

    Step 2: Configure the Windows client

    If you are using Internet Explorer:

    1. Open Internet Explorer.

    2. Go to Tools > Internet Options > Security > Local intranet > Sites > Advanced.

    3. In the Add this website to the zone field, enter the base URL for the appliance and then click Add.

      In this configuration example, the URL is .fpxlab3.local.

    4. Click Close and then click OK.

    5. Go to Tools > Internet Options > Advanced.

    6. In the Security section, verify that Enable Integrated Windows Authentication is selected and then click OK.

    7. Restart the browser.

    If you are using Mozilla Firefox:

    1. In the URL field, enter about:config.

    2. In the Filter field, enter network.n.

    3. Double-click network.negotiate-auth.trusted-uris.

      This dialog box lists the sites that are permitted to engage in SPNEGO authentication with the browser.

    4. Enter a comma-delimited list of trusted domains or URLs. For this example configuration, add .fpxlab3.local to the list.

    5. Click OK and then restart your browser.

    Step 3: Configure the FortiProxy unit

    1. Create the authentication rule.

      config authentication rule

      edit "http_krb"

      set srcintf "any"

      set srcaddr "all"

      set dstaddr "all"

      set ip-based disable

      set active-auth-method "krb"

      set web-auth-cookie enable

      next

      end

    2. Define Kerberos as an authentication service.

      config user krb-keytab

      edit "fpxlab3"

      set principal "HTTP/FPX33.FPXLAB3.LOCAL@FPXLAB3.LOCAL"

      set ldap-server "fpxlab3"

      set keytab "ENC U5bNbeM+po9/imlGJEQRvvA3urWNvZGejCxEjHGDuUvwqeh48fVwGcO1QZXJuimKqt50a9/K3A+dLW5Upu8I2h9j+lDdjzAV60qiSbxUYkKlTwfqiTvhZgB6T9BNvG+x/c8QPX1/CEiDSmq9eXBwZ6wKDGevbYXxWjjUX4Zyf7lQ6RjvYuwkKPYLKO2AvNnV6IELNrg5cVn8L0kcQSQkj4lYfLtGQIuiEW186kBTrqExx/Ex8t9DQZHbca8S9UJSGNfaT+Ud0wgEtWicx0OnbOCLFRvcxa625trGHRMYyyaXWkKv7FhApqYicgUL1dVlf7SJX6ziLeYjxCj95b78akBtlXIiIp/8BQh6ayfe1Q1KolC044w0HgoRBTcYUTXKsDj28/QFKV7nJVzEKpPl+lyaF5KEYDytNtDgHOIl2uvLrxmLGXMtgOzzDCtAU3IG/p354gKswI4/KL1VqBP0vSpCRbSdrZt4o5gz8ckoOk8xgCRF/FI1LF/b2GqtAI557K2B9mj+MEFIgF997jLpJSLEqj/5ris8u7gGi/NP6SYb56ME9GeZilgPQ8OIdC/a1DzUOQXYjUmc8yMGc5M8uHe2+DRKyvbqf+vKitPcLHMIw96VSA0U4vhXfavx0nG279DiKl1deD4ZbrsnYhc1uiheKmiHjwBkenM+DglpESyMse0yHRT6QN4OJ88="

      next

      end

    3. Create the authentication scheme.

      config authentication scheme

      edit "krb"

      set method negotiate

      set negotiate-ntlm disable

      set kerberos-keytab "fpxlab3"

      next

      end

    4. Enable the captive portal on the interface.

      config system interface

      edit "port4”

      set proxy-captive-portal enable

      next

      end

    5. Create a firewall address.

      config firewall address

      edit "fpx33.fpxlab3.local"

      set type fqdn

      set fqdn "fpx33.fpxlab3.local"

      next

      end

    6. Configure the DNS database.

      config system dns-database

      edit "fpxlab3.local"

      set domain "fpxlab3.local"

      config dns-entry

      edit 1

      set hostname "fpx33"

      set ip 10.150.0.33

      next

      end

      next

      end

    7. Configure authentication to use the captive portal.

      config authentication setting

      set captive-portal "fpx33.fpxlab3.local"

      end

    8. Configure the captive portal and the captive portal port in the transparent web proxy to support Kerberos authentication.

      config authentication setting

      set captive-portal "fpx33.fpxlab3.local"

      set captive-portal-port 7830

      set captive-portal-type fqdn

      set auth-https enable

      set captive-portal-ssl-port 7831

      end

    9. Configure the LDAP server.

      config user ldap

      edit "fpxlab3"

      set server "10.150.0.203"

      set cnid "cn"

      set dn "DC=FPXLAB3,DC=local"

      set type regular

      set username "CN=fpxqa,CN=Users,DC=fpxlab3,DC=local"

      set password ENC wN13Eb1FcOb3RchTj4IiPIN3MZJ0dieAzdKWOeql4tUtuXmRHoM0aKNmA4maJsDECkYDVWcBteM11KXpXN+I7J6tRuNZKoItR9vmX217faNbGcjF35C2AjviQ7RhHluWciCYj0SMlg6p9Q65MpLhd2Wpns5NAB6CLgbdtRA3UOt7L7z6yUf+s4R1ZpThuZgx+fL7Bg==

      next

      end

    10. Create one or more user groups.

      config user group

      edit "grp_ldap_lab3_devqa"

      set member "fpxlab3"

      config match

      edit 1

      set server-name "fpxlab3"

      set group-name "CN=DEVQA,CN=Users,DC=FPXLAB3,DC=local"

      next

      end

      next

      end

    11. Create the firewall policy.

      config firewall policy

      edit 7

      set srcintf "any"

      set dstintf "any"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL_TCP"

      set groups "grp_ldap_lab3_devqa"

      set utm-status enable

      set profile-protocol-options "default"

      set ssl-ssh-profile "deep-inspection"

      set av-profile "default"

      next

      end

    Step 4: Configure Kerberos authentication

    You can configure either Kerberos IP-based authetication or Kerberos session-based authentication:

    • Kerberos IP-based authentication

      With IP-based authentication on the portal, the Kerberos service authenticates against the portal but not the actual destinations. After the FortiProxy unit is authenticated on the portal, the FortiProxy unit can retrieve user information based on the client source IP address. The FortiProxy unit does not need to challenge the client for each transaction.

    • Kerberos session-based authentication with cookies enabled on the web portal

      When IP-based authentication is not feasible (for example, when the client is behind a SNAT gateway from the FortiProxy unit), the FortiProxy unit must use session-based authentication instead. Session-based authentication requires every new session to be authenticated using the web portal. When the web-auth-cookie feature is enabled, the cookie header is added to the request header when the client request is redirected to the portal for authentication. The portal can fetch the user information based on the given cookie directly if the client has already been authenticated with the portal.

    To configure IP-based Kerberos authentication:

    config authentication rule

    edit "http_krb"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set ip-based enable

    set active-auth-method "krb"

    next

    end

    To configure Kerberos session-based authentication:

    NOTE: The configuration is the same as for IP-based authentication, except that ip-based is disabled in the authentication rule.

    config authentication rule

    edit "http_krb"

    set srcintf "any"

    set srcaddr "all"

    set dstaddr "all"

    set ip-based disable

    set active-auth-method "krb"

    set web-auth-cookie enable

    next

    end

    Previous
    Next