Creating an Active Directory (AD) user for FortiWeb - Keytab File
If your site publish rule uses Kerberos Constrained Delegation for authentication delegation, it requires the following values:
- The SPN of an AD user that FortiWeb uses to obtain Kerberos tickets on behalf of clients.
- The keytab file that corresponds to the AD user.
- Create an AD user.
- Generate a Service Principal Name (SPN) for the AD user. Enter the following command using the SetSPN utility and a Windows command prompt:
- In the properties for the AD user, on the Delegation tab, select Trust this user for delegation to specified services only, and then select Use any authentication protocol.
- Click Add, and then click Users or Computers to open the Select Users or Computers dialog box.
- For Enter the object names to select, enter the name of the computer where the web service resides.
- Click OK, and then, in the Add Services dialog box, under in the list of available services, select the HTTP item.
- Click OK.
- Click OK to close the AD user properties.
- Use the Ktpass utility to extract a keytab file for the AD user.
- To upload the keytab file, go to Application Delivery > Site Publish > Keytab File.
- Click Create New and enter a name to use for the file in the web UI.
- Click Choose File and then browse to the file to select it, and then click OK to complete the upload.
For example, create the user HTTP-delegator
.
setspn -A host/<service_name>.<domain> <login_domain>\<ad_user_name>
where:
<service_name>
is the name of the service to register
<domain>
is the appropriate domain
<login_domain>
is the domain used with the logon name
<ad_user_name>
is the AD user name
For example: setspn -A host/forti-delegator.dc1.com DC1\HTTP-delegator
You cannot access the delegation settings for a user until it has an SPN.
You can use the hostname command to retrieve the computer name.
Ensure that you generate the keytab file using the SPN you generated for the AD user in Generate a Service Principal Name (SPN) for the AD user. Enter the following command using the SetSPN utility and a Windows command prompt: .
For complete information about Ktpass, go to the following location:
HTTP://technet.microsoft.com/en-us/library/cc779157(v=ws.10).aspx
Ktpass output the extracted keytab file to the directory of the current user.
For example:
C:\Users\Administrator\test.keytab