top of page
Search

Implementation Guide: FortiProxy Kerberos Authentication

  • Writer: Matt Sherif
    Matt Sherif
  • 14 hours ago
  • 5 min read

Configuring Kerberos authentication with your FortiProxy can be a good way improving identity security within your infrastructure. As Kerberos is considerdered more secure method of authentication vs say NTLM.


As a result of working with a customer who wanted to enable Kerberos authentication I wanted to share the process here.


Assumptions:

  1. You have a FortiProxy running version 7.6.x - this may work with earlier versions, however this is the version I used in this artlice

  2. You are running Windows Active Directory Domain Services (AD-DS) with a minimum version of 2019

  3. You are using either STARTLS or LDAPS for secure authentication, this guide uses LDAP over TLS (STARTTLS)

  4. You have configured integrated windows authentication for your browsers of choice, either via GPO or otherwise


Much of what is discussed here overlaps with FortiOS (FortiGate), however the focus of this Implementation Guide is FortiProxy, if you choose to use as a guide for configuration of FortiOS, proceed with caution and at your own risk!


Configuring LDAP Authentication:


  1. Under User & Authentication > LDAP Servers click "Create New" to create a new LDAP server

  2. Fill in the appropriate fields accordingly - feel free to use userPrincipalName instead of sAMAccountName (user@domain vs user)

  3. Test connectivity and User Credentials to ensure you have the correct configuration

  4. Browse to User & Authentication > Domain Controller and click 'Create New'

  5. Fill in the fields according to your organizational settings, note unless you know that a port other than 445 is being used for SMB access to SYSVOL, do not change it:

  6. Click OK

  7. In your Active Directory Domain Services, create a user with "Domain Users" memebership, in our case we're creating fpx

  8. We now need to create a Kerberos Keytab, a keytab is a file that stores long-term secret keys the one or more Kerberos principals, essentially the passwords the FortiProxy will use

    1. To create the keytab we used the following command:


      ktpass -princ HTTP/<FQDN_of_Proxy>@DOMAIN.LOCAL -mapuser fpx@ultraviolet.local -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab

    2. Note the following

      1. The section after the @ MUST BE all CAPS, I spent a lot of time wondering why Kerberos was failing only to realize it was this

      2. You MUST use the FQDN of the proxy, not the IP address

      3. The Domain Suffix is your domain suffix, so if it's acmecorp.com please use ACMECORP.COM

    3. The keytab file should be in the C:\Users\<USERNAME> directory

  9. Browse to User & Authentication > Kerberos, and click 'Create New'

  10. Use the following values in each of the Fields:

    1. Name: Use an appropriate name

    2. Principal: HTTP/<FQDN_of_FortiProxy>@DOMAIN.LOCAL

      1. Use the same principal name you used to create the keytab

    3. LDAP server should be the LDAP server we created in step 2

    4. Click "+Upload" and upload the keytab file we created in step 8

  11. Click OK


This concludes the setup of the Kerberos server setup. We now need to build the Authentication Scheme and Rules, that will then allow us to use the configured Kerberos authentication.


Creating a User Group:


  1. In User & Authentication > User Groups click on "Create New"

  2. In the "New User Group" dialog, set the appropriate settings:

    1. Name: Use a meaningful name

    2. Type: Firewall

    3. Under Remote Groups click "Add"

      1. Remote Server: Select the LDAP server created above

      2. It will populate the domain objects, be sure to browse to the appropriate OU, select the group you wish to map this firewall group to right click, and click "Add Selected"

      3. Click "OK" in the "Add Group Match" dialog

    4. Click "OK in the "New User Group" dialog

  3. Group configuration should look something like this:



Configuring the Authentication Scheme:


  1. Browse to Policy & Objects > Authentication Rules, and in the top right click "Authentication Schemes"

  2. Click "Create New"

  3. In the "Add Authentication Scheme" dialog, configure the settings as follows:

    1. Name: Assign a meaningful name

    2. Method: Negotiate - this will ensure Kerberos is negotiated

    3. Negotiate NTLM: enabled by default, however you can choose to disable this. This fails authentication back to NTLM in the event Kerberos fails. I left mine disabled, ensure whichever choice you make complies with organizational security policy

    4. Kerberos Keytab: the keytab we created in step 9 of the previous section

  4. Click 'OK' to finish creating the Authentication Scheme


Configuring the Authentication Rule:


  1. Browse to Policy & Objects > Authentication Rules, in the top right ensure Authentication Rules are created and click "Create New"

  2. In the "Add new Authentication Rule" dialog, configure the settings as follows:

    1. Name: Assign a meaningful name

    2. Protocol: In this case we will use HTTP - Options are:

      1. FTP

      2. HTTP

      3. Socket Secure (SOCKS)

      4. SSH

      5. ZTNA Portal

    3. Source interface: In this case we will select "any" use the appropriate interface for your implementation

    4. Source Address: the address of the traffic you wish to authenticate

    5. Authentication Scheme: the Scheme we created in the previous section

    6. IP-based authentication: disable

    7. Web Authentication cookies: this can help reduce the number of authentications performed, so we'll enable it. Note, in the event it's greyed out for you like it was for me you can go to the CLI and set web-auth-cookie enable

    8. Add any comments that will help you remember why you created this rule 18 months from now, and click "OK"


Creating a user based firewall rule:

  1. Browse to Policy & Objects > Policy

  2. Click "Create New"

  3. In the "Create New Policy" dialog, configure the following options:

    1. Type: Explicit Web

    2. Name: Use a meaningful name

    3. Web Proxy Explicit: select the appropriate Explicit Web Proxy object you created, we are using the system generated "web-proxy" for this article

    4. Outgoing Interface: we are using port1 in this example, select the appropriate egress interface

    5. Source: the source address you wish this rule to apply to, as well as the source user group

    6. Destination: the destination address or internet service for this rule

    7. Service: webproxy

    8. Application: select the appropriate application or leave blank

    9. URL category: select the appropriate URL category or leave blank

    10. URL risk: select the appropriate URL risk or leave blank

    11. Action: Accept

    12. Security Profiles: Assign security profiles as appropriate

  4. Click "OK"

  5. The resulting policy should look something like this:


Testing the connection:


From the domain joined test workstation we should be able to open a browser and browse normally. In the FortiProxy we should see a user under Dashboard > Firewall User Monitor

Note a few things:

  • The User name, Workstation IP and user group all show accordingly

  • The Authentication method used is "Negotiate" which indicates we are using kerberos


If you open a command line window on the test workstation and issue the "klist" command, we should note the following:


The above is a Kerberos Ticket issued to my user account for the FortiProxy. Indicating that Kerberos authentication is indeed working.


Conclusion:


Configuring Kerberos authentication on FortiProxy can be a lengthy process, however it is relatively straight forward. I hope this helps you in the future.


-- Madman Out.

 
 
 

Recent Posts

See All

Comments

bottom of page