Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.3
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiProxy 7.6.3 Administration Guide
    7.6.3
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Using Kerberos authentication with Windows AD cross-forest

    Using Kerberos authentication with Windows AD cross-forest

    FortiProxy supports Windows AD cross-forest for Kerberos authentication. Below is an example to demonstrate how FortiProxy uses Kerberos authentication rules to support complex cross-forest authentication scenarios while adhering to the AGDLP best practices for managing access permissions.

    Scenario

    For the following forests:

    • Forest A: CONTOSO.LOCAL (trusting forest)
    • Forest B: FABRIKAM.COM (trusted forest)

    We want to allow users from FABRIKAM.COM to access resources in CONTOSO.LOCAL through FortiProxy.

    To implement the AGDLP model:

    1. Create user accounts in FABRIKAM.COM: john.doe@fabrikam.com, jane.smith@fabrikam.com.

    2. Create global groups in FABRIKAM.COM: for example, FABRIKAM_Sales_Team.
    3. Add john.doe@fabrikam.com and jane.smith@fabrikam.com to FABRIKAM_Sales_Team.
    4. Create domain local groups in CONTOSO.LOCAL: for example, CONTOSO_Sales_Resources_Access, CONTOSO_IT_Admin.
    5. Add FABRIKAM.COM's FABRIKAM_Sales_Team to CONTOSO_Sales_Resources_Access.
    6. Grant appropriate access permissions to CONTOSO_Sales_Resources_Access on sales-related resources in CONTOSO.LOCAL.
    To configure FortiProxy:
    1. Enable LDAP user cache for explicit and transparent proxy users: 
      config web-proxy global
  set ldap-user-cache enable
end

    2. Configure Kerberos realm:

      config user krb-keytab

      edit "CONTOSO-KRB"

      set pac-data disable

      set principal "HTTP/fortiproxy.contoso.local@CONTOSO.LOCAL"

      set ldap-server "CONTOSO-AD"

      set keytab "ENC Zc53UXsUiHFfqUtvbjrkLUjhhXhbulBUp+qmtJFjNgl/jcskECWZ0MVJDiYjBcpvmc6eqLB817wiHZq64rV69JJgNlKGsgzI+3c3yWe3RRxuLuz8LlGCitGpPxnP+GwZnuftGh9ii7KBnFhKVDItTQLhRzV81g6pgU9saCz2eqGu0aV026k9ClOnTeREbo476cR7BW5IsBwxFKtFxT2pV3QRFPd8ix045ndoJD4M4QGevLs0O9vUkyP4jR+inYkLBoPqLtE6z4X0Vyzr1J3DyBg1nCuiRA+EAOoUxcjCAD1s0mLdJT0E8x19I4cpm2MNcZdujELaaJtsKu3EIpPX09Eyg0z9vrUQ+62K8YpOgBtQEkmVmr/Em+UHBn7QvQMHRk3KA4TADk2aXfSQNHFURPJAIMWD7m3ldlvaYgA56xZ7dz7iF7dN+Ta9F6aBxz6JN191tOq+71NY592/ZXPMHQ2Z3ibGADURkQqihu0VrFZQJ24IyL7+F2PgTdZATMifjxsyvSK8rpOeHuEnMw5ZQgymvgV0ycsn+L9NV+pJb77r+xI8DMm8fKUI9CMvLWiEzbaif8rKb+qFONsc1NTxt2d1ypJmJfpOZRKwaNqH0+yMVZFVfiDVimIywZFS0x4E8QBdCIGX1xM3zFGjoRcsd4MqrPdpHCuOVBdsh6KDCae0xRdtD+dmjDDkStEInWhv9r0PIA=="

      next

      end

    3. Create an LDAP server:

      config user ldap

      edit "CONTOSO-AD"

      set server "10.0.1.100"

      set cnid "sAMAccountName"

      set dn "dc=contoso,dc=local"

      set type regular

      set username "svc_fortiproxy"

      set password ENC YXRhbFg8uvof/JrL06vpvBbR/Yghbmyp6LTdKDjy5ZX+X/4AGK4/MOSZd3JDBcJ6GLHwOeQ0d4lPvjqiHRJ7yNonLWGhrr/RKhmyrfsvYrB9cwc9Rbpx0B5vRT6Psmlbqi84JZsdg64tFkHyJ8JQCxrvzsM7S0MMtPCpAJ0LqLxkukwH31wC3gk5Vli59J3kYRXRFQ== set port 3268 set account-key-processing strip set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

      next

      end

    4. Configure Kerberos authentication scheme to enable searching all LDAP databases to find groups: 
      config authentication scheme
  edit "krb"
      set method negotiate
      set negotiate-ntlm disable
      set kerberos-keytab "krb213"
      set search-all-ldap-databases enable
  next
end

    5. Set up Kerberos authentication rule:

      config authentication rule

      edit "CROSS-FOREST-AUTH"

      set status enable

      set protocol http https ftp

      set srcaddr "all"

      set ip-based disable

      set active-auth-method "CONTOSO-KRB"

      next

      end

    To verify the cross-forest authentication:

    1. Check user authentication status using the following command:

      diagnose test application wad 2500

    2. View user info cache and group information using the following command:

      diagnose test application wad 159

    Example output:

    FPXVULTM24000048 # dia test app wad 159
    uname=john.doe,pwd=no,vd=root ldap=FABRIKAM-AD,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Wed Sep  4 15:31:58 2024
    user id=1, refresh_time=Wed Sep  4 15:31:58 2024
    user dn=CN=John Doe,CN=Users,DC=fabrikam,DC=com
    sid:S-1-5-21-2445926238-1237732657-140748957-513 name=CN=Domain Users,CN=Users,DC=fabrikam,DC=com
     
    uname=john.doe,pwd=no,vd=root ldap=CONTOSO-AD,ref_cnt=1,upd=0,wait=0 sid-auth=1,status=2 last_access=Wed Sep  4 15:31:58 2024
    user id=2, refresh_time=Wed Sep  4 15:31:58 2024
    sid:S-1-5-21-2262484555-2078175199-1088017096-12365 name=CN=CONTOSO_Sales_Resources_Access,CN=Users,DC=contoso,DC=local
     
    uname=jane.smith,pwd=no,vd=root ldap=CONTOSO-AD,ref_cnt=1,upd=0,wait=0 sid-auth=1,status=2 last_access=Wed Sep  4 15:32:08 2024
    user id=3, refresh_time=Wed Sep  4 15:32:08 2024
    sid:S-1-5-21-2262484555-2078175199-1088017096-12365 name=CN=CONTOSO_Sales_Resources_Access,CN=Users,DC=contoso,DC=local
    sid:S-1-5-21-2262484555-2078175199-1088017096-12380 name=CN=CONTOSO_IT_Admin,CN=Users,DC=contoso,DC=local
     
    uname=jane.smith,pwd=no,vd=root ldap=FABRIKAM-AD,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Wed Sep  4 15:32:08 2024
    user id=4, refresh_time=Wed Sep  4 15:32:08 2024
    user dn=CN=Jane Smith,CN=Users,DC=fabrikam,DC=com
    sid:S-1-5-21-2445926238-1237732657-140748957-513 name=CN=Domain Users,CN=Users,DC=fabrikam,DC=com

    In this output, we can see successful authentication for users from both domains and group membership information for each user. sid-auth=1 for cross-forest authentication (CONTOSO-AD) indicates successful cross-forest group resolution.

    Previous
    Next

    Using Kerberos authentication with Windows AD cross-forest

    Using Kerberos authentication with Windows AD cross-forest

    FortiProxy supports Windows AD cross-forest for Kerberos authentication. Below is an example to demonstrate how FortiProxy uses Kerberos authentication rules to support complex cross-forest authentication scenarios while adhering to the AGDLP best practices for managing access permissions.

    Scenario

    For the following forests:

    • Forest A: CONTOSO.LOCAL (trusting forest)
    • Forest B: FABRIKAM.COM (trusted forest)

    We want to allow users from FABRIKAM.COM to access resources in CONTOSO.LOCAL through FortiProxy.

    To implement the AGDLP model:

    1. Create user accounts in FABRIKAM.COM: john.doe@fabrikam.com, jane.smith@fabrikam.com.

    2. Create global groups in FABRIKAM.COM: for example, FABRIKAM_Sales_Team.
    3. Add john.doe@fabrikam.com and jane.smith@fabrikam.com to FABRIKAM_Sales_Team.
    4. Create domain local groups in CONTOSO.LOCAL: for example, CONTOSO_Sales_Resources_Access, CONTOSO_IT_Admin.
    5. Add FABRIKAM.COM's FABRIKAM_Sales_Team to CONTOSO_Sales_Resources_Access.
    6. Grant appropriate access permissions to CONTOSO_Sales_Resources_Access on sales-related resources in CONTOSO.LOCAL.
    To configure FortiProxy:
    1. Enable LDAP user cache for explicit and transparent proxy users: 
      config web-proxy global
  set ldap-user-cache enable
end

    2. Configure Kerberos realm:

      config user krb-keytab

      edit "CONTOSO-KRB"

      set pac-data disable

      set principal "HTTP/fortiproxy.contoso.local@CONTOSO.LOCAL"

      set ldap-server "CONTOSO-AD"

      set keytab "ENC Zc53UXsUiHFfqUtvbjrkLUjhhXhbulBUp+qmtJFjNgl/jcskECWZ0MVJDiYjBcpvmc6eqLB817wiHZq64rV69JJgNlKGsgzI+3c3yWe3RRxuLuz8LlGCitGpPxnP+GwZnuftGh9ii7KBnFhKVDItTQLhRzV81g6pgU9saCz2eqGu0aV026k9ClOnTeREbo476cR7BW5IsBwxFKtFxT2pV3QRFPd8ix045ndoJD4M4QGevLs0O9vUkyP4jR+inYkLBoPqLtE6z4X0Vyzr1J3DyBg1nCuiRA+EAOoUxcjCAD1s0mLdJT0E8x19I4cpm2MNcZdujELaaJtsKu3EIpPX09Eyg0z9vrUQ+62K8YpOgBtQEkmVmr/Em+UHBn7QvQMHRk3KA4TADk2aXfSQNHFURPJAIMWD7m3ldlvaYgA56xZ7dz7iF7dN+Ta9F6aBxz6JN191tOq+71NY592/ZXPMHQ2Z3ibGADURkQqihu0VrFZQJ24IyL7+F2PgTdZATMifjxsyvSK8rpOeHuEnMw5ZQgymvgV0ycsn+L9NV+pJb77r+xI8DMm8fKUI9CMvLWiEzbaif8rKb+qFONsc1NTxt2d1ypJmJfpOZRKwaNqH0+yMVZFVfiDVimIywZFS0x4E8QBdCIGX1xM3zFGjoRcsd4MqrPdpHCuOVBdsh6KDCae0xRdtD+dmjDDkStEInWhv9r0PIA=="

      next

      end

    3. Create an LDAP server:

      config user ldap

      edit "CONTOSO-AD"

      set server "10.0.1.100"

      set cnid "sAMAccountName"

      set dn "dc=contoso,dc=local"

      set type regular

      set username "svc_fortiproxy"

      set password ENC YXRhbFg8uvof/JrL06vpvBbR/Yghbmyp6LTdKDjy5ZX+X/4AGK4/MOSZd3JDBcJ6GLHwOeQ0d4lPvjqiHRJ7yNonLWGhrr/RKhmyrfsvYrB9cwc9Rbpx0B5vRT6Psmlbqi84JZsdg64tFkHyJ8JQCxrvzsM7S0MMtPCpAJ0LqLxkukwH31wC3gk5Vli59J3kYRXRFQ== set port 3268 set account-key-processing strip set account-key-filter "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

      next

      end

    4. Configure Kerberos authentication scheme to enable searching all LDAP databases to find groups: 
      config authentication scheme
  edit "krb"
      set method negotiate
      set negotiate-ntlm disable
      set kerberos-keytab "krb213"
      set search-all-ldap-databases enable
  next
end

    5. Set up Kerberos authentication rule:

      config authentication rule

      edit "CROSS-FOREST-AUTH"

      set status enable

      set protocol http https ftp

      set srcaddr "all"

      set ip-based disable

      set active-auth-method "CONTOSO-KRB"

      next

      end

    To verify the cross-forest authentication:

    1. Check user authentication status using the following command:

      diagnose test application wad 2500

    2. View user info cache and group information using the following command:

      diagnose test application wad 159

    Example output:

    FPXVULTM24000048 # dia test app wad 159
    uname=john.doe,pwd=no,vd=root ldap=FABRIKAM-AD,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Wed Sep  4 15:31:58 2024
    user id=1, refresh_time=Wed Sep  4 15:31:58 2024
    user dn=CN=John Doe,CN=Users,DC=fabrikam,DC=com
    sid:S-1-5-21-2445926238-1237732657-140748957-513 name=CN=Domain Users,CN=Users,DC=fabrikam,DC=com
     
    uname=john.doe,pwd=no,vd=root ldap=CONTOSO-AD,ref_cnt=1,upd=0,wait=0 sid-auth=1,status=2 last_access=Wed Sep  4 15:31:58 2024
    user id=2, refresh_time=Wed Sep  4 15:31:58 2024
    sid:S-1-5-21-2262484555-2078175199-1088017096-12365 name=CN=CONTOSO_Sales_Resources_Access,CN=Users,DC=contoso,DC=local
     
    uname=jane.smith,pwd=no,vd=root ldap=CONTOSO-AD,ref_cnt=1,upd=0,wait=0 sid-auth=1,status=2 last_access=Wed Sep  4 15:32:08 2024
    user id=3, refresh_time=Wed Sep  4 15:32:08 2024
    sid:S-1-5-21-2262484555-2078175199-1088017096-12365 name=CN=CONTOSO_Sales_Resources_Access,CN=Users,DC=contoso,DC=local
    sid:S-1-5-21-2262484555-2078175199-1088017096-12380 name=CN=CONTOSO_IT_Admin,CN=Users,DC=contoso,DC=local
     
    uname=jane.smith,pwd=no,vd=root ldap=FABRIKAM-AD,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Wed Sep  4 15:32:08 2024
    user id=4, refresh_time=Wed Sep  4 15:32:08 2024
    user dn=CN=Jane Smith,CN=Users,DC=fabrikam,DC=com
    sid:S-1-5-21-2445926238-1237732657-140748957-513 name=CN=Domain Users,CN=Users,DC=fabrikam,DC=com

    In this output, we can see successful authentication for users from both domains and group membership information for each user. sid-auth=1 for cross-forest authentication (CONTOSO-AD) indicates successful cross-forest group resolution.

    Previous
    Next