Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.2 Administration Guide
    8.0.2
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Support for UPN Format in Kerberos Constrained Delegation (8.0.0)

    Support for UPN Format in Kerberos Constrained Delegation (8.0.0)

    FortiWeb now supports using User Principal Name (UPN) format—such as user@example.com—as the Kerberos client identity in Kerberos Constrained Delegation (KCD). This enhancement introduces optional support for Enterprise Principal Name (EPN) encoding (KRB5_NT_ENTERPRISE), in addition to the existing support for traditional Kerberos Principal Name (KPN) format (KRB5_NT_PRINCIPAL).

    When UPN Support is enabled, FortiWeb interprets the client identity using EPN syntax. This allows delegation to succeed in environments where user credentials are available only in UPN form, and where the Kerberos realm is not explicitly included in client requests. A fallback realm or domain suffix can be provided using the new Domain Realm option.

    This enhancement applies only when Kerberos Constrained Delegation is selected as the authentication delegation method in a Site Publishing Rule. Support for UPN format is not available for regular Kerberos delegation or other delegation types. If UPN Support is not enabled, FortiWeb continues to construct the Kerberos client identity using the standard Kerberos Principal Name (KPN) format by default.

    For Kerberos Constrained Delegation to be available in the Site Publishing configuration, the Client Authentication Method must be Client Certificate Authentication, NTLM Authentication or SAML Authentication. Other authentication methods, such as HTML Form Authentication or HTTP Basic Authentication, do not support KCD and will not expose the UPN-related options.

    GUI Update in Site Publish Rule Configuration (Application Delivery > Site Publish > Site Publish):

    CLI Update to config waf site-publish-helper rule:
    config waf site-publish-helper rule
  edit <name>
    set client-auth-method {client-cert-auth | ntlm-auth}
    set auth-delegation kerberos-constrained-delegation
    set default-domain-realm <string>
    set upn-support {enable | disable}
  next
end
    Previous
    Next

    Support for UPN Format in Kerberos Constrained Delegation (8.0.0)

    Support for UPN Format in Kerberos Constrained Delegation (8.0.0)

    FortiWeb now supports using User Principal Name (UPN) format—such as user@example.com—as the Kerberos client identity in Kerberos Constrained Delegation (KCD). This enhancement introduces optional support for Enterprise Principal Name (EPN) encoding (KRB5_NT_ENTERPRISE), in addition to the existing support for traditional Kerberos Principal Name (KPN) format (KRB5_NT_PRINCIPAL).

    When UPN Support is enabled, FortiWeb interprets the client identity using EPN syntax. This allows delegation to succeed in environments where user credentials are available only in UPN form, and where the Kerberos realm is not explicitly included in client requests. A fallback realm or domain suffix can be provided using the new Domain Realm option.

    This enhancement applies only when Kerberos Constrained Delegation is selected as the authentication delegation method in a Site Publishing Rule. Support for UPN format is not available for regular Kerberos delegation or other delegation types. If UPN Support is not enabled, FortiWeb continues to construct the Kerberos client identity using the standard Kerberos Principal Name (KPN) format by default.

    For Kerberos Constrained Delegation to be available in the Site Publishing configuration, the Client Authentication Method must be Client Certificate Authentication, NTLM Authentication or SAML Authentication. Other authentication methods, such as HTML Form Authentication or HTTP Basic Authentication, do not support KCD and will not expose the UPN-related options.

    GUI Update in Site Publish Rule Configuration (Application Delivery > Site Publish > Site Publish):

    CLI Update to config waf site-publish-helper rule:
    config waf site-publish-helper rule
  edit <name>
    set client-auth-method {client-cert-auth | ntlm-auth}
    set auth-delegation kerberos-constrained-delegation
    set default-domain-realm <string>
    set upn-support {enable | disable}
  next
end
    Previous
    Next