Fortinet white logo
Fortinet white logo

Administration Guide

Creating an Active Directory (AD) user for FortiWeb - Keytab File

Creating an Active Directory (AD) user for FortiWeb - Keytab File

If your site publish rule uses Kerberos Constrained Delegation for authentication delegation, it requires the following values:

  • The SPN of an AD user that FortiWeb uses to obtain Kerberos tickets on behalf of clients.
  • The keytab file that corresponds to the AD user.
  1. Create an AD user.
  2. For example, create the user HTTP-delegator.

  3. Generate a Service Principal Name (SPN) for the AD user. Enter the following command using the SetSPN utility and a Windows command prompt:
  4. setspn -A host/<service_name>.<domain> <login_domain>\<ad_user_name>


    where:

    <service_name> is the name of the service to register

    <domain> is the appropriate domain

    <login_domain> is the domain used with the logon name

    <ad_user_name> is the AD user name

    For example: setspn -A host/forti-delegator.dc1.com DC1\HTTP-delegator

    You cannot access the delegation settings for a user until it has an SPN.

  5. In the properties for the AD user, on the Delegation tab, select Trust this user for delegation to specified services only, and then select Use any authentication protocol.
  6. Click Add, and then click Users or Computers to open the Select Users or Computers dialog box.
  7. For Enter the object names to select, enter the name of the computer where the web service resides.
  8. You can use the hostname command to retrieve the computer name.

  9. Click OK, and then, in the Add Services dialog box, under in the list of available services, select the HTTP item.
  10. Click OK.
  11. Click OK to close the AD user properties.
  12. Use the Ktpass utility to extract a keytab file for the AD user.
  13. Ensure that you generate the keytab file using the SPN you generated for the AD user in Generate a Service Principal Name (SPN) for the AD user. Enter the following command using the SetSPN utility and a Windows command prompt: .

    For complete information about Ktpass, go to the following location:

    HTTP://technet.microsoft.com/en-us/library/cc779157(v=ws.10).aspx

    Ktpass output the extracted keytab file to the directory of the current user.

    For example:

    C:\Users\Administrator\test.keytab

  14. To upload the keytab file, go to Application Delivery > Site Publish > Keytab File.
  15. Click Create New and enter a name to use for the file in the web UI.
  16. Click Choose File and then browse to the file to select it, and then click OK to complete the upload.

Creating an Active Directory (AD) user for FortiWeb - Keytab File

Creating an Active Directory (AD) user for FortiWeb - Keytab File

If your site publish rule uses Kerberos Constrained Delegation for authentication delegation, it requires the following values:

  • The SPN of an AD user that FortiWeb uses to obtain Kerberos tickets on behalf of clients.
  • The keytab file that corresponds to the AD user.
  1. Create an AD user.
  2. For example, create the user HTTP-delegator.

  3. Generate a Service Principal Name (SPN) for the AD user. Enter the following command using the SetSPN utility and a Windows command prompt:
  4. setspn -A host/<service_name>.<domain> <login_domain>\<ad_user_name>


    where:

    <service_name> is the name of the service to register

    <domain> is the appropriate domain

    <login_domain> is the domain used with the logon name

    <ad_user_name> is the AD user name

    For example: setspn -A host/forti-delegator.dc1.com DC1\HTTP-delegator

    You cannot access the delegation settings for a user until it has an SPN.

  5. In the properties for the AD user, on the Delegation tab, select Trust this user for delegation to specified services only, and then select Use any authentication protocol.
  6. Click Add, and then click Users or Computers to open the Select Users or Computers dialog box.
  7. For Enter the object names to select, enter the name of the computer where the web service resides.
  8. You can use the hostname command to retrieve the computer name.

  9. Click OK, and then, in the Add Services dialog box, under in the list of available services, select the HTTP item.
  10. Click OK.
  11. Click OK to close the AD user properties.
  12. Use the Ktpass utility to extract a keytab file for the AD user.
  13. Ensure that you generate the keytab file using the SPN you generated for the AD user in Generate a Service Principal Name (SPN) for the AD user. Enter the following command using the SetSPN utility and a Windows command prompt: .

    For complete information about Ktpass, go to the following location:

    HTTP://technet.microsoft.com/en-us/library/cc779157(v=ws.10).aspx

    Ktpass output the extracted keytab file to the directory of the current user.

    For example:

    C:\Users\Administrator\test.keytab

  14. To upload the keytab file, go to Application Delivery > Site Publish > Keytab File.
  15. Click Create New and enter a name to use for the file in the web UI.
  16. Click Choose File and then browse to the file to select it, and then click OK to complete the upload.