Fortinet black logo

CLI Reference

config user authentication-relay

config user authentication-relay

Use this command to configure the authentication relay, which includes Kerberos and HTTP basic SSO configurations.

Syntax

config user authentication-relay

edit <authentication-relay name>

set authorization HTTPError401 | always

set delegation-type Kerberos | http-basic

set kdc-ip <string> FQDN/ip of kdc

set kdc-port <integer> the port number of kdc server

set realm <string> realm (upper case)

set domain-prefix-support enable/disable

set domain-prefix <string> domain to prefix

set delegator-account <string> KCD delegator principal

set delegator-password <passwd> KCD delegator password

set delegated-spn <string> KCD delegated service principal

next

end

The following table describes parameters used for configuring authentication relay using Kerberos SSO.

delegation-type

Select Kerberos or HTTP Basic.

Note: You MUST select Kerberos when configuring authentication relay for Kerberos SSO.

authorization

Can select HTTPError401 or always.

After a client account authenticates successfully, FortiADC first sends the request to the server and waits for the server's response before performing authentication on its part.

If HTTPErr401 is set, FortiADC will do the authentication only when it has received the 401 response. Furthermore, if the client requests for more information from the web after FortiADC has gotten the authentication service ticket, FortiADC will send the request without the ticket. FortiADC will send another request with the service ticket only when the server returns the 401 unauthorized response.

When always is set, FortiADC always does the authentication no matter what response it receives from the server. If the client requests for more information from the web after FortiADC has gotten the Kerberos service ticket, FortiADC will always send the request with the service ticket.

kdc-ip

The KDC server IP address.

kdc-port

The port on which the KDC server listens for Kerberos authentication.

realm

The realm which supports Kerberos authentication.

Note: You must use uppercase letters and ‘.’ in the string.

delegated-spn

The identification which shows the service running on the server.

The SPN uses this format: HTTP/sharepoint.ft3.local@FT3.LOCAL

Where

  • HTTP— Refers to the service running on the server.
  • The string between / and @ —Refers to the host, which supports regexp.
  • The string after @ — Refers to the realm that supports the service. It MUST be in upper-case letters.
delegator-account

The FortiADC proxy Kerberos authentication account.

delegator-password

The delegator account password.

domain-prefix-support

Domain prefix support:

This is a switch to enable or disable the default domain prefix function.

Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1

When this option is enabled, the user can also successfully log in by only entering ‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.

Domain prefix:

The value will be added as the domain prefix when the switch above is enabled and when the user inputs the username without the domain.

The value of this domain prefix MUST be a valid NetBIOS domain name.

Example 1: Configure Kerberos authentication relay:

config user authentication-relay

edit "auth-relay-1"

set kdc-ip 2.2.1.202

set realm KFOR.COM

set delegator-account test

set delegator-password ENC

set delegated-spn http/server11202.kfor.com@kfor.com

next

end

Example 2: Configure HTTP-basic authentication relay:

config user authentication-relay

edit "auth-relay-2"

set delegation-type http-basic

set authorization always

set domain-prefix-support enable

set domain-prefix SSS

next

end

config user authentication-relay

Use this command to configure the authentication relay, which includes Kerberos and HTTP basic SSO configurations.

Syntax

config user authentication-relay

edit <authentication-relay name>

set authorization HTTPError401 | always

set delegation-type Kerberos | http-basic

set kdc-ip <string> FQDN/ip of kdc

set kdc-port <integer> the port number of kdc server

set realm <string> realm (upper case)

set domain-prefix-support enable/disable

set domain-prefix <string> domain to prefix

set delegator-account <string> KCD delegator principal

set delegator-password <passwd> KCD delegator password

set delegated-spn <string> KCD delegated service principal

next

end

The following table describes parameters used for configuring authentication relay using Kerberos SSO.

delegation-type

Select Kerberos or HTTP Basic.

Note: You MUST select Kerberos when configuring authentication relay for Kerberos SSO.

authorization

Can select HTTPError401 or always.

After a client account authenticates successfully, FortiADC first sends the request to the server and waits for the server's response before performing authentication on its part.

If HTTPErr401 is set, FortiADC will do the authentication only when it has received the 401 response. Furthermore, if the client requests for more information from the web after FortiADC has gotten the authentication service ticket, FortiADC will send the request without the ticket. FortiADC will send another request with the service ticket only when the server returns the 401 unauthorized response.

When always is set, FortiADC always does the authentication no matter what response it receives from the server. If the client requests for more information from the web after FortiADC has gotten the Kerberos service ticket, FortiADC will always send the request with the service ticket.

kdc-ip

The KDC server IP address.

kdc-port

The port on which the KDC server listens for Kerberos authentication.

realm

The realm which supports Kerberos authentication.

Note: You must use uppercase letters and ‘.’ in the string.

delegated-spn

The identification which shows the service running on the server.

The SPN uses this format: HTTP/sharepoint.ft3.local@FT3.LOCAL

Where

  • HTTP— Refers to the service running on the server.
  • The string between / and @ —Refers to the host, which supports regexp.
  • The string after @ — Refers to the realm that supports the service. It MUST be in upper-case letters.
delegator-account

The FortiADC proxy Kerberos authentication account.

delegator-password

The delegator account password.

domain-prefix-support

Domain prefix support:

This is a switch to enable or disable the default domain prefix function.

Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1

When this option is enabled, the user can also successfully log in by only entering ‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.

Domain prefix:

The value will be added as the domain prefix when the switch above is enabled and when the user inputs the username without the domain.

The value of this domain prefix MUST be a valid NetBIOS domain name.

Example 1: Configure Kerberos authentication relay:

config user authentication-relay

edit "auth-relay-1"

set kdc-ip 2.2.1.202

set realm KFOR.COM

set delegator-account test

set delegator-password ENC

set delegated-spn http/server11202.kfor.com@kfor.com

next

end

Example 2: Configure HTTP-basic authentication relay:

config user authentication-relay

edit "auth-relay-2"

set delegation-type http-basic

set authorization always

set domain-prefix-support enable

set domain-prefix SSS

next

end