Using Kerberos authentication with a FortiProxy unit
This example shows how to configure Kerberos authentication with Windows and Linux clients for a FortiProxy unit using a Windows 2012R2 server.
Step 1: Configure the Kerberos server
- From the key distribution center (KDC) on the Windows 2012 platform, set the domain (realm) name in the Windows server, for example, TEST.COM. For more information, see https://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx.
- Create two user accounts in the Windows domain. In this example, the users are “user1” and “fpx”. user1 is a normal user, and fpx is the service account for the FortiProxy unit (
testfpx.test.com
). The fpx account stands for the FortiProxy unit, which provides the HTTP proxy service. - Make sure that the Kerberos server can resolve the FortiProxy fully qualified domain name (FQDN) (
testfpx.test.com
). - Add the FortiProxy FQDN into the DNS forward/reverse zones or add it to the local hosts file (for example, in
windows/system32/drivers/etc/hosts
, addtestfpx.test.com
and10.10.1.10
). - Use ktpass to generate the Kerberos keytab file for Kerberos ticket decryption:
ktpass -princ HTTP://<FQDN of testfpx>@realm -mapuser fpx -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
For example:
ktpass -princ HTTP://testfpx.test.com@TEST.COM -mapuser fpx -pass 12345678 -crypto all -ptype KRB5_NT_PRINCIPAL -out fpx.keytab
- Use base64 to convert the
fpx.keytab
file; the output is used for the FortiProxy keytab. For example:base64 fpx.keytab > fpx.txt
If the output is not one line, delete the line feed (LF) characters.
NOTE: You do not need to convert the keytab file if you are using Mozilla Firefox 1.2.4 or later.
Step 2: Configure the FortiProxy unit
- Define the LDAP server.
config user ldap
edit "ldap" <<< use for authorization
set server "10.10.1.1" <<< LDAP server IP address; usually it is the same as the KDC server IP address.
set cnid "sAMAccountName"
set dn "dc=test,dc=com"
set type regular
set username "CN=admin,CN=Users,DC=test,DC=com"
set password ENC aW5lIAHkPMf4D+ZCKpGMU3x8Fpq0G+7uIbAvpblbXFA5vLfgb4/oRBx+B6R/v+CMCetP84e+Gdz5zEcMyOd3cjoBoIhFrpYJfXhRs4lSEOHezeVXfxwTSf5VJG+F11G/G5RpaY+AE8bortC8MBe7P2/uGQocFHu4Ilulp5I6OJvyk6Ei3hDZMjTd8iPp5IkRJZVVjQ==
next
end
- Define the Kerberos server.
config user krb-keytab
edit "http_service"
set principal "HTTP/testfpx.test.com@TEST.COM" <<< It should be same as the principal name used to generate the Kerberos keytab file.
set ldap-server "ldap" <<< the defined LDAP server for authorization
set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< keytab file, create by 1.3.2
next
end
- Create the user group.
config user group <<< This group is used for Kerberos authentication.
edit "testgrp"
set member "ldap"
config match
edit 1
set server-name "ldap" <<< Use the same server name that was used for the
set ldap-server
command used to define the Kerberos server.set group-name "CN=Domain Users,CN=Users,DC=TEST,DC=com" <<< The membership is used for authorization, which must be a membership of user1.
next
end
next
end
- Define the domain controller.
config user domain-controller
edit "test.com"
set ip-address 10.10.1.1
set ldap-server "ldap"
next
end
- Create the authentication scheme for Kerberos with NTLM fallback.
config authentication scheme
edit "krb-ntlmfallback"
set method negotiate
set kerberos-keytab "http_service"
set domain-controller "test.com"
next
end
- Create the authentication rule.
config authentication rule
edit "krb-ntlm-rule"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ip-based disable
set active-auth-method "krb-ntlmfallback"
next
end
- Create the firewall policy with authentication for testgrp.
config firewall policy
edit 1
set type explicit-web
set name "Authenticated_browsing"
set explicit-web-proxy "web-proxy"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set logtraffic all
set log-http-transaction enable
set groups "testgrp"
set utm-status enable
next
end
Step 3: Configure the Windows client
- Use the default Kerberos Windows environment to set up a Windows client that supports Kerberos authentication.
- After logging on to Windows with the user name "user1", use "klist" command to view the Kerberos service tickets. The Kerberos service tickets indicate that Kerberos is set up and working correctly.
C:\Users\user1>klist
Current LogonId is 0:0x83fd4e
Cached Tickets: (2)
#0> Client: user1 @ TEST.COM
Server: krbtgt/TEST.COM @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 8/17/2020 21:01:04 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: user1 @ TEST.COM
Server: LDAP/fk-win2k12-dc-1.test.com/fpxetlab.local @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 8/17/2020 21:01:06 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
You do not see the service ticket yet for the FortiProxy HTTP/testfpx.test.com@TEST.COM. The service ticket is requested after the client browses through the FortiProxy unit.
C:\Users\user1>klist
Current LogonId is 0:0x83fd4e
Cached Tickets: (3)
#0> Client: user1 @ TEST.COM
Server: krbtgt/TEST.COM @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 8/17/2020 21:01:04 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: user1 @ TEST.COM <<< New Service Ticket for proxy
Server: HTTP/testfpx.test.com @ TEST.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni
calize
Start Time: 8/17/2020 21:09:08 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
#2> Client: user1 @ TEST.COM
Server: LDAP/fk-win2k12-dc-1.test.com/test.com @ TEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 8/17/2020 21:01:06 (local)
End Time: 8/18/2020 7:01:04 (local)
Renew Time: 8/24/2020 21:01:04 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
- Set up the explicit web proxy in the browser on the operating system by using
FQDN=testfpx.test.com port=8080
.NOTE: For Kerberos authentication, you must specify the FQDN instead of the IP address.
- Use a web browser to visit a website through the web proxy.
The
klist
command now shows the obtained Kerberos service ticket for HTTP/testfpx.test.com@TEST.COM.On the FortiProxy unit, go to FortiView > Users or enter
diag wad user list
. You see either “negotiate” or “NTLM” as the authentication method.
Step 4: Configure the Linux client
- Log in with an account with sudo rights.
- Create an account for user1.
- Set your DNS resolver to point to the DNS server that can resolve KDC FQDN (
/etc/resolv.conf
).$ sudo adduser --home /home/user1 --shell=/bin/bash -uid 1001 -gid 1000
- Because the Linux client does not have the Kerberos client installed, you need to prepare the Linux client. Start by setting the client host name.
$ hostnamectl set-hostname fk-ubuntu2004.test.com
==== AUTHENTICATING FOR org.freedesktop.hostname1.set-static-hostname ===
Authentication is required to set the statically configured local host name, as well as the pretty host name.
Authenticating as: user1,,, (user1)
Password:
==== AUTHENTICATION COMPLETE ===
- Install the Kerberos client-related support libraries.
$ sudo apt-get update; sudo apt-get install -y krb5-user libpam-krb5 libpam-ccreds
During the installation, you will be asked about the Kerberos realm, the Kerberos server of the realm, and the administrative server.
- The default Kerberos version 5 realm is TEST.COM.
- The Kerberos server for your realm is krb.test.com. The Kerberos server is often the same as the domain controller (LDAP server).
- The administrative server for your Kerberos realm is krb.test.com.
- Make sure that the Linux client can resolve krb.test.com to the IP address. (If the Linux client cannot resolve it, manually add krb.test.com and 10.10.1.1 in
/etc/hosts
.) - Make sure the Linux client can resolve testfpx.test.com to the IP address. (If the Linux client cannot resolve it, manually add krb.test.com and 10.10.1.10 in
/etc/hosts
.) - The
/etc/krb5.conf
file contains the necessary Kerberos configuration from when you installed the Kerberos client-related support libraries.[libdefaults] default_realm = TEST.COM
[realms]
TEST.COM = {
kdc = kdc.test.com <<< The domain of the Kerberos server. Manually add the FortiProxy domain name and IP mapping if they are missing.
admin_server = kdc.test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
- Clean up the Kerberos service tickets for user1. Use the
klist
command to check the service tickets; Use thekinit
command to cache the service tickets; and use thekdestroy
command to delete the Kerberos service tickets. Provide the password of user1 when prompted.$ kinit
Password for user1@TEST.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: user1@TEST.COM
Valid starting Expires Service principal
14/08/20 12:21:30 14/08/20 22:21:30 krbtgt/TEST.COM@TEST.COM
renew until 15/08/20 12:21:03
Step 5: Validate that the configuration works
- Use Kerberos authentication to request a webpage. The first request takes a few seconds to obtain the Kerberos Service Ticket, which is valid for 10 hours. Any following requests are faster because the ticket can be reused.
$ curl -x testfpx.test.com:8080 -U : --proxy-negotiate http://fortipoc.4xion.com -v
* Trying 10.222.16.8:8080...
* TCP_NODELAY set
* Connected to testfpx.test.com (10.10.1.10) port 8080 (#0)
* Proxy auth using Negotiate with user ''
> GET http://fortipoc.4xion.com/ HTTP/1.1
> Host: fortipoc.4xion.com
> Proxy-Authorization: Negotiate YIIFdAYGKwYBBQUCoIIFaDCCBWSgDTALBgkqhkiG9xIBAgKiggVRBIIFTWCCBUkGCSqGSIb3EgECAgEAboIFODCCBTSgAwIBBaEDAgEOogcDBQAgAAAAo4IELGGCBCgwggQkoAMCAQWhEBsORlBYRVRMQUIuTE9DQUyiLTAroAMCAQOhJDAiGwRIVFRQGxpmay1mcHhldGxhYi5mcHhldGxhYi5sb2NhbKOCA9owggPWoAMCARehAwIBBKKCA8gEggPEsh1Hkmj3E60FBxwcyOmQs5bBLVPZ+zpISEDa2jGou9gDVLi0pTxGp5OA01PhVvPlkcS9mLLHsll49niTDEoLP5I5sRbuLvGpFR4ZNDBd7xjEX6ExETXzbiXAMXgYzzAp9+Hag2o+J+AtML7B3ye1jQU7d1fCqwTw+Bym0CC9y0GDro8p33WHehjiIZflDpuS2t9sovihNhUq6QsW8X8mzoAFIwVcIhMDfVJIzm6sWVvZdkHubn0SKP1zCYXAUcuPuxlEZuBWsel0vH+Abw/6KXtzFYjT7XSt4rcevJFiMVADYVxUo6myiavuQ6dXFtVToa+P9g9RXBfoCrzhWwVR/wKT2nLo1HUMorZrXGWXF6ttUh2gk2JKaYMhmO/gjZBkN4BfORN1PWUPHJZuzoxbuVIxqYj+P/i7rcanw7rXbB+aTt8851/jMvnNqgjCOSogFOLRfbqZgBKBR3ofCgQyUKOAaE9oN9L14ll4T6SpmK3x31GCDia6rsFvGYBBI9kEZmVcKLfOKtTYWC7f8GbYStzxd6S30Zssdqdmb7XWMUjkAshWzoCcb9nO4uiOLZ/3ao0ZXePRjZMfkrv1/5Fomko9sE3l9oyqgJLgeYAS26jrdyH9NvboQg+wzh2FdJoX2yxoob3TdpMsnVfd0GGBK7XgBmVNXsC3G6vok+MWmgjESQg/++sPsi3A4pql9xSQU1tJFAdoOkk6aNgbZ4TQ7kCycbwzkP1i+PKggqZ8rSNYacBKmEnNTs9Mnq1BsCkfyXsUN+wimJH6WjoIiC+oovRofuQo5sgb6kYY4iBa0IabL17jcFSLLVg4UA1LVKkjYGHap0PlitTYw0CfNe2lZETm6eLm626NSUP4o9knUAkv1Z4sxX9HfG7Drd2Bz4srg0g78NXn2mn/OFJ5k2vqF/Eo1dxqFYv0bNP+k3tlIuv08H9dRuY46BFylnTaUY1wObHltavQoEhY9hDzjeZ/f2MPUqXCB/cxhIhffM3QKmMHAbMiTDj1Qi3wCg9UKt2C8Dcpnjqo6qsYaE9+jKE1OeDcLdGE9zirGHYKwIpoYnJQyoi/SuK2AuQ+4/PbflYFf+TXTW1rKCqRCTcaq0CavVwo5ReRRezC9t5JwfLXB7X5IvBsN6cx2hxWve6jgpp4h0xxeydTpUPQ+K7EMz0v99A00Ht0K9P5YEFd8hECbJvIKiLiAJM+1icnNPVFGLEu1f9qTJ758LgNi9LOjNObf3+26nsLVura9najmLsnIZXk2uUxJiPLqVAmwzkSXj7YG4yjC6SB7jCB66ADAgEXooHjBIHg1c5u/zeeh1zfMP3wwEVtE8JhCYTbSFi6P6CVO2EX17MNujzNXs354xOUc7cT/bRIhn909D8KLL3jJITYid+Ffc2kcDf7JRKiH6Vl8i7j26uW8FQt3DFtq0TMxu+RatebskKJR/l3yepbkHVgFNTztkn1uFqcrEbYLHllCM99RLIYO10DuUasKVKT71oKHVjS0xvNdQHz2rRaoFAwuc6XvEaeHkdEP8ZEYac8b0bswnsvX3GADb+6CXURHo64uMbNWNpdxLvtRGVBRJbTDeLcl9WWyWp+duRquo4E2ktidY8=
> User-Agent: curl/7.68.0
> Accept: */*
> Proxy-Connection: Keep-Alive
- Check the Kerberos tickets for the HTTP proxy service.
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: user1@TEST.COM
Valid starting Expires Service principal
14/08/20 12:21:30 14/08/20 22:21:30 krbtgt/TEST.COM@TEST.COM
renew until 15/08/20 12:21:03
14/08/20 12:24:26 14/08/20 22:21:30 HTTP/testfpx.test.com@
renew until 15/08/20 12:21:03
14/08/20 12:24:26 14/08/20 22:21:30 HT
- Enable Kerberos authentication for Mozilla Firefox.
In the Firefox configuration page, change
network.negotiate-auth.trusted-uris
to the domain you want to authenticate against.