Hot!Explicit Proxy with Kerberos auth not working

Author
ninoshev
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/13 06:15:25
  • Status: offline
2019/05/13 06:34:19 (permalink) 6.0
0

Explicit Proxy with Kerberos auth not working

Hello good people!
 
Since few days i'm trying to configure Proxy on Fortigate 500E with FortiOS 6.0.3 and no luck so far.
I have straight forward configuration:
 
config authentication scheme
edit "Kerberos"
set method negotiate
set negotiate-ntlm disable
 
config authentication rule
edit "Kerberos"
set srcaddr "all"
set ip-based disable
set active-auth-method "Kerberos"
set web-auth-cookie enable
next
 
user krb-keytab is with principal, ldap-server and keytab.
 
For proxy rule I have a source entire 192.168.0.0/16 network, corresponding AD group from the LDAP server and all services.
 
Once I test the connection, all browsers immediately pops up asking for user and pass and if I run diagnose debug application fnbamd -1 I don't see any LDAP query attempts nor into the logs I see any failed authentications. Once I check with Wireshark I see only NTLMSSP_NEGOTIATE packets flowing. I'm wondering what may be wrong here and how to troubleshoot it on the Fortigate like debug commands or log view to see why this is failing.
 
Any suggestions will be much appreciated. 
#1

4 Replies Related Threads

    judit
    Bronze Member
    • Total Posts : 23
    • Scores: 2
    • Reward points: 0
    • Joined: 2011/03/22 07:07:45
    • Status: offline
    Re: Explicit Proxy with Kerberos auth not working 2019/05/16 02:22:25 (permalink)
    0
    Did you set the 'active-auth-scheme' in config auth setting?
     
    config authentication setting
    set active-auth-scheme "Kerberos"
    end
    #2
    ninoshev
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/13 06:15:25
    • Status: offline
    Re: Explicit Proxy with Kerberos auth not working 2019/05/16 02:24:17 (permalink)
    0
    Yes, it is set. Additionally, I have tested the keytab file and it is working.
    #3
    ninoshev
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/13 06:15:25
    • Status: offline
    Re: Explicit Proxy with Kerberos auth not working 2019/05/16 03:40:32 (permalink)
    0
    I figured out why it is not working but still can't figure out how to fix it.
     
    I have executed fnsysctl ls -la /tmp/kt and i don't see the keytab file imported. The configuration was done directly with admin account so I'm excluding a permissions issue. Also I tried to import a keytab file from already working Explicit Proxy Fortigate and again the keytab file is missing/not imported. From CLI I don't get any error once I'm pasting the encode with base64 string. Anyone had that issue before?
    #4
    KVB
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/25 23:24:06
    • Status: offline
    Re: Explicit Proxy with Kerberos auth not working 2019/06/25 23:29:25 (permalink)
    0
    Hi ninoshev. Having the exact same symptoms as you are. I suppose your browser also gets the 407 request?
     
     Did you get any further with this issue ?
    post edited by KVB - 2019/06/25 23:41:27
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5