Using Kerberos authentication with a FortiProxy unit

This example shows how to configure Kerberos authentication with Windows and Linux clients for a FortiProxy unit using a Windows 2012R2 server.

Step 1: Configure the Kerberos server

From the key distribution center (KDC) on the Windows 2012 platform, set the domain (realm) name in the Windows server, for example, TEST.COM. For more information, see https://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx.
Create two user accounts in the Windows domain. In this example, the users are “user1” and “fpx”. user1 is a normal user, and fpx is the service account for the FortiProxy unit (testfpx.test.com). The fpx account stands for the FortiProxy unit, which provides the HTTP proxy service.
Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (testfpx.test.com).
Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local hosts file (for example, in windows/system32/drivers/etc/hosts, add testfpx.test.com and 10.10.1.10).
Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption:

ktpass -princ HTTP://<FQDN of testfpx>@realm -mapuser fpx -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab

For example:

ktpass -princ HTTP://testfpx.test.com@TEST.COM -mapuser fpx -pass 12345678 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
Use base64 to convert the fpx.keytab file; the output is used for the FortiProxy keytab. For example:

base64 fpx.keytab > fpx.txt

If the output is not one line, delete the line feed (LF) characters.
NOTE: You do not need to convert the keytab file if you are using Mozilla Firefox 1.2.4 or later.

Step 2: Configure the FortiProxy unit

Define the LDAP server.

config user ldap
edit "ldap" <<< use for authorization
set server "10.10.1.1" <<< LDAP server IP address; usually it is the same as the KDC server IP address.
set cnid "sAMAccountName"
set dn "dc=test,dc=com"
set type regular
set username "CN=admin,CN=Users,DC=test,DC=com"
set password ENC aW5lIAHkPMf4D+ZCKpGMU3x8Fpq0G+7uIbAvpblbXFA5vLfgb4/oRBx+B6R/v+CMCetP84e+Gdz5zEcMyOd3cjoBoIhFrpYJfXhRs4lSEOHezeVXfxwTSf5VJG+F11G/G5RpaY+AE8bortC8MBe7P2/uGQocFHu4Ilulp5I6OJvyk6Ei3hDZMjTd8iPp5IkRJZVVjQ==
next
end
Define the Kerberos server.

config user krb-keytab
edit "http_service"
set principal "HTTP/testfpx.test.com@TEST.COM" <<< It should be same as the principal name used to generate the Kerberos keytab file.
set ldap-server "ldap" <<< the defined LDAP server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< keytab file, create by 1.3.2
next
end
Create the user group.

config user group <<< This group is used for Kerberos authentication.
edit "testgrp"
set member "ldap"
config match
edit 1
set server-name "ldap" <<< Use the same server name that was used for the set ldap-server command used to define the Kerberos server.
set group-name "CN=Domain Users,CN=Users,DC=TEST,DC=com" <<< The membership is used for authorization, which must be a membership of user1.
next
end
next
end
Define the domain controller.

config user domain-controller
edit "test.com"
set ip-address 10.10.1.1
set ldap-server "ldap"
next
end
Create the authentication scheme for Kerberos with NTLM fallback.

config authentication scheme
edit "krb-ntlmfallback"
set method negotiate
set kerberos-keytab "http_service"
set domain-controller "test.com"
next
end
Create the authentication rule.

config authentication rule
edit "krb-ntlm-rule"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ip-based disable
set active-auth-method "krb-ntlmfallback"
next
end
Create the firewall policy with authentication for testgrp.

config firewall policy
edit 1
set type explicit-web
set name "Authenticated_browsing"
set explicit-web-proxy "web-proxy"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set log-http-transaction enable
set groups "testgrp"
set utm-status enable
next
end

Step 3: Configure the Windows client

Use the default Kerberos Windows environment to set up a Windows client that supports Kerberos authentication.
After logging on to Windows with the user name "user1", use "klist" command to view the Kerberos service tickets. The Kerberos service tickets indicate that Kerberos is set up and working correctly.

C:\Users\user1>klist

Current LogonId is 0:0x83fd4e

Cached Tickets: (2)

#0> Client: user1 @ TEST.COM
Server: krbtgt/TEST.COM @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 8/17/2020 21:01:04 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1> Client: user1 @ TEST.COM
Server: LDAP/fk-win2k12-dc-1.test.com/fpxetlab.local @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 8/17/2020 21:01:06 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96

You do not see the service ticket yet for the FortiProxy HTTP/testfpx.test.com@TEST.COM. The service ticket is requested after the client browses through the FortiProxy unit.

C:\Users\user1>klist

Current LogonId is 0:0x83fd4e

Cached Tickets: (3)

#0> Client: user1 @ TEST.COM
Server: krbtgt/TEST.COM @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 8/17/2020 21:01:04 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1> Client: user1 @ TEST.COM <<< New Service Ticket for proxy
Server: HTTP/testfpx.test.com @ TEST.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni
calize
Start Time: 8/17/2020 21:09:08 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: RSADSI RC4-HMAC(NT)

#2> Client: user1 @ TEST.COM
Server: LDAP/fk-win2k12-dc-1.test.com/test.com @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 8/17/2020 21:01:06 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Set up the explicit web proxy in the browser on the operating system by using FQDN=testfpx.test.com port=8080.
NOTE: For Kerberos authentication, you must specify the FQDN instead of the IP address.
Use a web browser to visit a website through the web proxy.
The klist command now shows the obtained Kerberos service ticket for HTTP/testfpx.test.com@TEST.COM.
On the FortiProxy unit, go to FortiView > Users or enter diag wad user list. You see either “negotiate” or “NTLM” as the authentication method.

Step 4: Configure the Linux client

Log in with an account with sudo rights.
Create an account for user1.
Set your DNS resolver to point to the DNS server that can resolve KDC FQDN (/etc/resolv.conf).

$ sudo adduser --home /home/user1 --shell=/bin/bash -uid 1001 -gid 1000
Because the Linux client does not have the Kerberos client installed, you need to prepare the Linux client. Start by setting the client host name.

$ hostnamectl set-hostname fk-ubuntu2004.test.com
==== AUTHENTICATING FOR org.freedesktop.hostname1.set-static-hostname ===
Authentication is required to set the statically configured local host name, as well as the pretty host name.
Authenticating as: user1,,, (user1)
Password:
==== AUTHENTICATION COMPLETE ===
Install the Kerberos client-related support libraries.

$ sudo apt-get update; sudo apt-get install -y krb5-user libpam-krb5 libpam-ccreds

During the installation, you will be asked about the Kerberos realm, the Kerberos server of the realm, and the administrative server.
- The default Kerberos version 5 realm is TEST.COM.
- The Kerberos server for your realm is krb.test.com. The Kerberos server is often the same as the domain controller (LDAP server).
- The administrative server for your Kerberos realm is krb.test.com.
Make sure that the Linux client can resolve krb.test.com to the IP address. (If the Linux client cannot resolve it, manually add krb.test.com and 10.10.1.1 in /etc/hosts.)
Make sure the Linux client can resolve testfpx.test.com to the IP address. (If the Linux client cannot resolve it, manually add krb.test.com and 10.10.1.10 in /etc/hosts.)
The /etc/krb5.conf file contains the necessary Kerberos configuration from when you installed the Kerberos client-related support libraries.

[libdefaults] default_realm = TEST.COM

[realms]
TEST.COM = {
kdc = kdc.test.com <<< The domain of the Kerberos server. Manually add the FortiProxy domain name and IP mapping if they are missing.
admin_server = kdc.test.com
}

[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
Clean up the Kerberos service tickets for user1. Use the klist command to check the service tickets; Use the kinit command to cache the service tickets; and use the kdestroy command to delete the Kerberos service tickets. Provide the password of user1 when prompted.

$ kinit
Password for user1@TEST.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: user1@TEST.COM
Valid starting Expires Service principal
14/08/20 12:21:30 14/08/20 22:21:30 krbtgt/TEST.COM@TEST.COM
renew until 15/08/20 12:21:03

Step 5: Validate that the configuration works

Use Kerberos authentication to request a webpage. The first request takes a few seconds to obtain the Kerberos Service Ticket, which is valid for 10 hours. Any following requests are faster because the ticket can be reused.

$ curl -x testfpx.test.com:8080 -U : --proxy-negotiate http://fortipoc.4xion.com -v
* Trying 10.222.16.8:8080...
* TCP_NODELAY set
* Connected to testfpx.test.com (10.10.1.10) port 8080 (#0)
* Proxy auth using Negotiate with user ''
> GET http://fortipoc.4xion.com/ HTTP/1.1
> Host: fortipoc.4xion.com
> Proxy-Authorization: Negotiate YIIFdAYGKwYBBQUCoIIFaDCCBWSgDTALBgkqhkiG9xIBAgKiggVRBIIFTWCCBUkGCSqGSIb3EgECAgEAboIFODCCBTSgAwIBBaEDAgEOogcDBQAgAAAAo4IELGGCBCgwggQkoAMCAQWhEBsORlBYRVRMQUIuTE9DQUyiLTAroAMCAQOhJDAiGwRIVFRQGxpmay1mcHhldGxhYi5mcHhldGxhYi5sb2NhbKOCA9owggPWoAMCARehAwIBBKKCA8gEggPEsh1Hkmj3E60FBxwcyOmQs5bBLVPZ+zpISEDa2jGou9gDVLi0pTxGp5OA01PhVvPlkcS9mLLHsll49niTDEoLP5I5sRbuLvGpFR4ZNDBd7xjEX6ExETXzbiXAMXgYzzAp9+Hag2o+J+AtML7B3ye1jQU7d1fCqwTw+Bym0CC9y0GDro8p33WHehjiIZflDpuS2t9sovihNhUq6QsW8X8mzoAFIwVcIhMDfVJIzm6sWVvZdkHubn0SKP1zCYXAUcuPuxlEZuBWsel0vH+Abw/6KXtzFYjT7XSt4rcevJFiMVADYVxUo6myiavuQ6dXFtVToa+P9g9RXBfoCrzhWwVR/wKT2nLo1HUMorZrXGWXF6ttUh2gk2JKaYMhmO/gjZBkN4BfORN1PWUPHJZuzoxbuVIxqYj+P/i7rcanw7rXbB+aTt8851/jMvnNqgjCOSogFOLRfbqZgBKBR3ofCgQyUKOAaE9oN9L14ll4T6SpmK3x31GCDia6rsFvGYBBI9kEZmVcKLfOKtTYWC7f8GbYStzxd6S30Zssdqdmb7XWMUjkAshWzoCcb9nO4uiOLZ/3ao0ZXePRjZMfkrv1/5Fomko9sE3l9oyqgJLgeYAS26jrdyH9NvboQg+wzh2FdJoX2yxoob3TdpMsnVfd0GGBK7XgBmVNXsC3G6vok+MWmgjESQg/++sPsi3A4pql9xSQU1tJFAdoOkk6aNgbZ4TQ7kCycbwzkP1i+PKggqZ8rSNYacBKmEnNTs9Mnq1BsCkfyXsUN+wimJH6WjoIiC+oovRofuQo5sgb6kYY4iBa0IabL17jcFSLLVg4UA1LVKkjYGHap0PlitTYw0CfNe2lZETm6eLm626NSUP4o9knUAkv1Z4sxX9HfG7Drd2Bz4srg0g78NXn2mn/OFJ5k2vqF/Eo1dxqFYv0bNP+k3tlIuv08H9dRuY46BFylnTaUY1wObHltavQoEhY9hDzjeZ/f2MPUqXCB/cxhIhffM3QKmMHAbMiTDj1Qi3wCg9UKt2C8Dcpnjqo6qsYaE9+jKE1OeDcLdGE9zirGHYKwIpoYnJQyoi/SuK2AuQ+4/PbflYFf+TXTW1rKCqRCTcaq0CavVwo5ReRRezC9t5JwfLXB7X5IvBsN6cx2hxWve6jgpp4h0xxeydTpUPQ+K7EMz0v99A00Ht0K9P5YEFd8hECbJvIKiLiAJM+1icnNPVFGLEu1f9qTJ758LgNi9LOjNObf3+26nsLVura9najmLsnIZXk2uUxJiPLqVAmwzkSXj7YG4yjC6SB7jCB66ADAgEXooHjBIHg1c5u/zeeh1zfMP3wwEVtE8JhCYTbSFi6P6CVO2EX17MNujzNXs354xOUc7cT/bRIhn909D8KLL3jJITYid+Ffc2kcDf7JRKiH6Vl8i7j26uW8FQt3DFtq0TMxu+RatebskKJR/l3yepbkHVgFNTztkn1uFqcrEbYLHllCM99RLIYO10DuUasKVKT71oKHVjS0xvNdQHz2rRaoFAwuc6XvEaeHkdEP8ZEYac8b0bswnsvX3GADb+6CXURHo64uMbNWNpdxLvtRGVBRJbTDeLcl9WWyWp+duRquo4E2ktidY8=
> User-Agent: curl/7.68.0
> Accept: */*
> Proxy-Connection: Keep-Alive
Check the Kerberos tickets for the HTTP proxy service.

$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: user1@TEST.COM

Valid starting Expires Service principal
14/08/20 12:21:30 14/08/20 22:21:30 krbtgt/TEST.COM@TEST.COM
renew until 15/08/20 12:21:03
14/08/20 12:24:26 14/08/20 22:21:30 HTTP/testfpx.test.com@
renew until 15/08/20 12:21:03
14/08/20 12:24:26 14/08/20 22:21:30 HT
Enable Kerberos authentication for Mozilla Firefox.
In the Firefox configuration page, change network.negotiate-auth.trusted-uris to the domain you want to authenticate against.

Step 1: Configure the Kerberos server

From the key distribution center (KDC) on the Windows 2012 platform, set the domain (realm) name in the Windows server, for example, TEST.COM. For more information, see https://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx.

Create two user accounts in the Windows domain. In this example, the users are “user1” and “fpx”. user1 is a normal user, and fpx is the service account for the FortiProxy unit (testfpx.test.com). The fpx account stands for the FortiProxy unit, which provides the HTTP proxy service.

Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (testfpx.test.com).

Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local hosts file (for example, in windows/system32/drivers/etc/hosts, add testfpx.test.com and 10.10.1.10).

Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption:

ktpass -princ HTTP://<FQDN of testfpx>@realm -mapuser fpx -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab

For example:

ktpass -princ HTTP://testfpx.test.com@TEST.COM -mapuser fpx -pass 12345678 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab

Use base64 to convert the fpx.keytab file; the output is used for the FortiProxy keytab. For example:

base64 fpx.keytab > fpx.txt

If the output is not one line, delete the line feed (LF) characters.

NOTE: You do not need to convert the keytab file if you are using Mozilla Firefox 1.2.4 or later.

Step 2: Configure the FortiProxy unit

Define the LDAP server.

config user ldap

edit "ldap" <<< use for authorization

set server "10.10.1.1" <<< LDAP server IP address; usually it is the same as the KDC server IP address.

set cnid "sAMAccountName"

set dn "dc=test,dc=com"

set type regular

set username "CN=admin,CN=Users,DC=test,DC=com"

set password ENC aW5lIAHkPMf4D+ZCKpGMU3x8Fpq0G+7uIbAvpblbXFA5vLfgb4/oRBx+B6R/v+CMCetP84e+Gdz5zEcMyOd3cjoBoIhFrpYJfXhRs4lSEOHezeVXfxwTSf5VJG+F11G/G5RpaY+AE8bortC8MBe7P2/uGQocFHu4Ilulp5I6OJvyk6Ei3hDZMjTd8iPp5IkRJZVVjQ==

end

Define the Kerberos server.

config user krb-keytab

edit "http_service"

set principal "HTTP/testfpx.test.com@TEST.COM" <<< It should be same as the principal name used to generate the Kerberos keytab file.

set ldap-server "ldap" <<< the defined LDAP server for authorization

set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< keytab file, create by 1.3.2

end

Create the user group.

config user group <<< This group is used for Kerberos authentication.

edit "testgrp"

set member "ldap"

config match

edit 1

set server-name "ldap" <<< Use the same server name that was used for the set ldap-server command used to define the Kerberos server.

set group-name "CN=Domain Users,CN=Users,DC=TEST,DC=com" <<< The membership is used for authorization, which must be a membership of user1.

end

Define the domain controller.

config user domain-controller

edit "test.com"

set ip-address 10.10.1.1

set ldap-server "ldap"

end

Create the authentication scheme for Kerberos with NTLM fallback.

config authentication scheme

edit "krb-ntlmfallback"

set method negotiate

set kerberos-keytab "http_service"

set domain-controller "test.com"

end

Create the authentication rule.

config authentication rule

edit "krb-ntlm-rule"

set srcintf "port1"

set srcaddr "all"

set dstaddr "all"

set ip-based disable

set active-auth-method "krb-ntlmfallback"

end

Create the firewall policy with authentication for testgrp.

config firewall policy

edit 1

set type explicit-web

set name "Authenticated_browsing"

set explicit-web-proxy "web-proxy"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "webproxy"

set logtraffic all

set log-http-transaction enable

set groups "testgrp"

set utm-status enable

end

Step 3: Configure the Windows client

Use the default Kerberos Windows environment to set up a Windows client that supports Kerberos authentication.

After logging on to Windows with the user name "user1", use "klist" command to view the Kerberos service tickets. The Kerberos service tickets indicate that Kerberos is set up and working correctly.

C:\Users\user1>klist

Current LogonId is 0:0x83fd4e

Cached Tickets: (2)

#0> Client: user1 @ TEST.COM

Server: krbtgt/TEST.COM @ TEST.COM

KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam

e_canonicalize

Start Time: 8/17/2020 21:01:04 (local)

End Time: 8/18/2020 7:01:04 (local)

Renew Time: 8/24/2020 21:01:04 (local)

Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1> Client: user1 @ TEST.COM

Server: LDAP/fk-win2k12-dc-1.test.com/fpxetlab.local @ TEST.COM

KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg

ate name_canonicalize

Start Time: 8/17/2020 21:01:06 (local)

End Time: 8/18/2020 7:01:04 (local)

Renew Time: 8/24/2020 21:01:04 (local)

Session Key Type: AES-256-CTS-HMAC-SHA1-96

You do not see the service ticket yet for the FortiProxy HTTP/testfpx.test.com@TEST.COM. The service ticket is requested after the client browses through the FortiProxy unit.

C:\Users\user1>klist

Current LogonId is 0:0x83fd4e

Cached Tickets: (3)

#0> Client: user1 @ TEST.COM

Server: krbtgt/TEST.COM @ TEST.COM

KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam

e_canonicalize

Start Time: 8/17/2020 21:01:04 (local)

End Time: 8/18/2020 7:01:04 (local)

Renew Time: 8/24/2020 21:01:04 (local)

Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1> Client: user1 @ TEST.COM <<< New Service Ticket for proxy

Server: HTTP/testfpx.test.com @ TEST.COM

KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni

calize

Start Time: 8/17/2020 21:09:08 (local)

End Time: 8/18/2020 7:01:04 (local)

Renew Time: 8/24/2020 21:01:04 (local)

Session Key Type: RSADSI RC4-HMAC(NT)

#2> Client: user1 @ TEST.COM

Server: LDAP/fk-win2k12-dc-1.test.com/test.com @ TEST.COM

KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg

ate name_canonicalize

Start Time: 8/17/2020 21:01:06 (local)

End Time: 8/18/2020 7:01:04 (local)

Renew Time: 8/24/2020 21:01:04 (local)

Session Key Type: AES-256-CTS-HMAC-SHA1-96

Set up the explicit web proxy in the browser on the operating system by using FQDN=testfpx.test.com port=8080.

NOTE: For Kerberos authentication, you must specify the FQDN instead of the IP address.

Use a web browser to visit a website through the web proxy.

The klist command now shows the obtained Kerberos service ticket for HTTP/testfpx.test.com@TEST.COM.

On the FortiProxy unit, go to FortiView > Users or enter diag wad user list. You see either “negotiate” or “NTLM” as the authentication method.

Step 4: Configure the Linux client

Create an account for user1.

Set your DNS resolver to point to the DNS server that can resolve KDC FQDN (/etc/resolv.conf).

$ sudo adduser --home /home/user1 --shell=/bin/bash -uid 1001 -gid 1000

Because the Linux client does not have the Kerberos client installed, you need to prepare the Linux client. Start by setting the client host name.

$ hostnamectl set-hostname fk-ubuntu2004.test.com

==== AUTHENTICATING FOR org.freedesktop.hostname1.set-static-hostname ===

Authentication is required to set the statically configured local host name, as well as the pretty host name.

Authenticating as: user1,,, (user1)

Password:

==== AUTHENTICATION COMPLETE ===

Install the Kerberos client-related support libraries.

$ sudo apt-get update; sudo apt-get install -y krb5-user libpam-krb5 libpam-ccreds

During the installation, you will be asked about the Kerberos realm, the Kerberos server of the realm, and the administrative server.

The default Kerberos version 5 realm is TEST.COM.
The Kerberos server for your realm is krb.test.com. The Kerberos server is often the same as the domain controller (LDAP server).
The administrative server for your Kerberos realm is krb.test.com.

Make sure that the Linux client can resolve krb.test.com to the IP address. (If the Linux client cannot resolve it, manually add krb.test.com and 10.10.1.1 in /etc/hosts.)

Make sure the Linux client can resolve testfpx.test.com to the IP address. (If the Linux client cannot resolve it, manually add krb.test.com and 10.10.1.10 in /etc/hosts.)

The /etc/krb5.conf file contains the necessary Kerberos configuration from when you installed the Kerberos client-related support libraries.

[libdefaults] default_realm = TEST.COM

[realms]

TEST.COM = {

kdc = kdc.test.com <<< The domain of the Kerberos server. Manually add the FortiProxy domain name and IP mapping if they are missing.

admin_server = kdc.test.com

}

[domain_realm]

.test.com = TEST.COM

test.com = TEST.COM

Clean up the Kerberos service tickets for user1. Use the klist command to check the service tickets; Use the kinit command to cache the service tickets; and use the kdestroy command to delete the Kerberos service tickets. Provide the password of user1 when prompted.

$ kinit

Password for user1@TEST.COM:

$ klist

Ticket cache: FILE:/tmp/krb5cc_1001

Default principal: user1@TEST.COM

Valid starting Expires Service principal

14/08/20 12:21:30 14/08/20 22:21:30 krbtgt/TEST.COM@TEST.COM

renew until 15/08/20 12:21:03

Step 5: Validate that the configuration works

Use Kerberos authentication to request a webpage. The first request takes a few seconds to obtain the Kerberos Service Ticket, which is valid for 10 hours. Any following requests are faster because the ticket can be reused.

$ curl -x testfpx.test.com:8080 -U : --proxy-negotiate http://fortipoc.4xion.com -v

* Trying 10.222.16.8:8080...

* TCP_NODELAY set

* Connected to testfpx.test.com (10.10.1.10) port 8080 (#0)

* Proxy auth using Negotiate with user ''

> GET http://fortipoc.4xion.com/ HTTP/1.1

> Host: fortipoc.4xion.com

> Proxy-Authorization: Negotiate YIIFdAYGKwYBBQUCoIIFaDCCBWSgDTALBgkqhkiG9xIBAgKiggVRBIIFTWCCBUkGCSqGSIb3EgECAgEAboIFODCCBTSgAwIBBaEDAgEOogcDBQAgAAAAo4IELGGCBCgwggQkoAMCAQWhEBsORlBYRVRMQUIuTE9DQUyiLTAroAMCAQOhJDAiGwRIVFRQGxpmay1mcHhldGxhYi5mcHhldGxhYi5sb2NhbKOCA9owggPWoAMCARehAwIBBKKCA8gEggPEsh1Hkmj3E60FBxwcyOmQs5bBLVPZ+zpISEDa2jGou9gDVLi0pTxGp5OA01PhVvPlkcS9mLLHsll49niTDEoLP5I5sRbuLvGpFR4ZNDBd7xjEX6ExETXzbiXAMXgYzzAp9+Hag2o+J+AtML7B3ye1jQU7d1fCqwTw+Bym0CC9y0GDro8p33WHehjiIZflDpuS2t9sovihNhUq6QsW8X8mzoAFIwVcIhMDfVJIzm6sWVvZdkHubn0SKP1zCYXAUcuPuxlEZuBWsel0vH+Abw/6KXtzFYjT7XSt4rcevJFiMVADYVxUo6myiavuQ6dXFtVToa+P9g9RXBfoCrzhWwVR/wKT2nLo1HUMorZrXGWXF6ttUh2gk2JKaYMhmO/gjZBkN4BfORN1PWUPHJZuzoxbuVIxqYj+P/i7rcanw7rXbB+aTt8851/jMvnNqgjCOSogFOLRfbqZgBKBR3ofCgQyUKOAaE9oN9L14ll4T6SpmK3x31GCDia6rsFvGYBBI9kEZmVcKLfOKtTYWC7f8GbYStzxd6S30Zssdqdmb7XWMUjkAshWzoCcb9nO4uiOLZ/3ao0ZXePRjZMfkrv1/5Fomko9sE3l9oyqgJLgeYAS26jrdyH9NvboQg+wzh2FdJoX2yxoob3TdpMsnVfd0GGBK7XgBmVNXsC3G6vok+MWmgjESQg/++sPsi3A4pql9xSQU1tJFAdoOkk6aNgbZ4TQ7kCycbwzkP1i+PKggqZ8rSNYacBKmEnNTs9Mnq1BsCkfyXsUN+wimJH6WjoIiC+oovRofuQo5sgb6kYY4iBa0IabL17jcFSLLVg4UA1LVKkjYGHap0PlitTYw0CfNe2lZETm6eLm626NSUP4o9knUAkv1Z4sxX9HfG7Drd2Bz4srg0g78NXn2mn/OFJ5k2vqF/Eo1dxqFYv0bNP+k3tlIuv08H9dRuY46BFylnTaUY1wObHltavQoEhY9hDzjeZ/f2MPUqXCB/cxhIhffM3QKmMHAbMiTDj1Qi3wCg9UKt2C8Dcpnjqo6qsYaE9+jKE1OeDcLdGE9zirGHYKwIpoYnJQyoi/SuK2AuQ+4/PbflYFf+TXTW1rKCqRCTcaq0CavVwo5ReRRezC9t5JwfLXB7X5IvBsN6cx2hxWve6jgpp4h0xxeydTpUPQ+K7EMz0v99A00Ht0K9P5YEFd8hECbJvIKiLiAJM+1icnNPVFGLEu1f9qTJ758LgNi9LOjNObf3+26nsLVura9najmLsnIZXk2uUxJiPLqVAmwzkSXj7YG4yjC6SB7jCB66ADAgEXooHjBIHg1c5u/zeeh1zfMP3wwEVtE8JhCYTbSFi6P6CVO2EX17MNujzNXs354xOUc7cT/bRIhn909D8KLL3jJITYid+Ffc2kcDf7JRKiH6Vl8i7j26uW8FQt3DFtq0TMxu+RatebskKJR/l3yepbkHVgFNTztkn1uFqcrEbYLHllCM99RLIYO10DuUasKVKT71oKHVjS0xvNdQHz2rRaoFAwuc6XvEaeHkdEP8ZEYac8b0bswnsvX3GADb+6CXURHo64uMbNWNpdxLvtRGVBRJbTDeLcl9WWyWp+duRquo4E2ktidY8=

> User-Agent: curl/7.68.0

> Accept: */*

> Proxy-Connection: Keep-Alive

Check the Kerberos tickets for the HTTP proxy service.

$ klist

Ticket cache: FILE:/tmp/krb5cc_1001

Default principal: user1@TEST.COM

Valid starting Expires Service principal

14/08/20 12:21:30 14/08/20 22:21:30 krbtgt/TEST.COM@TEST.COM

renew until 15/08/20 12:21:03

14/08/20 12:24:26 14/08/20 22:21:30 HTTP/testfpx.test.com@

renew until 15/08/20 12:21:03

14/08/20 12:24:26 14/08/20 22:21:30 HT

Enable Kerberos authentication for Mozilla Firefox.

In the Firefox configuration page, change network.negotiate-auth.trusted-uris to the domain you want to authenticate against.

FortiProxy Authentication Guide

Using Kerberos authentication with a FortiProxy unit

Using Kerberos authentication with a FortiProxy unit

Step 1: Configure the Kerberos server

Step 2: Configure the FortiProxy unit

Step 3: Configure the Windows client

Step 4: Configure the Linux client

Step 5: Validate that the configuration works

Using Kerberos authentication with a FortiProxy unit

Step 1: Configure the Kerberos server

Step 2: Configure the FortiProxy unit

Step 3: Configure the Windows client

Step 4: Configure the Linux client

Step 5: Validate that the configuration works