Fortinet black logo

Administration Guide

Using Kerberos authentication delegation

Using Kerberos authentication delegation

You can configure FortiWeb to use the Kerberos protocol for authentication delegation. Kerberos authentication uses tickets that are encrypted and decrypted by secret keys and do not contain user passwords. FortiWeb uses Kerberos to give clients it has already authenticated access to web applications, not for the initial authentication.

Types of Kerberos authentication delegation

FortiWeb’s site publish feature supports two different types of Kerberos authentication delegation. The type you use depends on the client authentication method that you specify:

  • Regular Kerberos delegation—Users enter a user name and password in an HTML authentication form (the HTML Form Authentication or HTTP Basic Authentication site publish rule options). FortiWeb then obtains a Kerberos service ticket on behalf of the client to allow it to access the specified web application.
  • Kerberos constrained delegationFortiWeb verifies a user’s SSL certificate using the certificate authority specified in a server policy or server pool member configuration (Client Certificate Authentication). FortiWeb then obtains a Kerberos service ticket on behalf of the client to allow it to access the specified web application.

    This authentication delegation configuration requires you to create an Active Directory user for FortiWeb that can act on behalf of the web application. For details, see To create an Active Directory (AD) user for FortiWeb.

If you enable Kerberos authentication for a service, you must specify a delegated HTTP Service Principal Name (SPN) in a site publish rule; if your configuration includes a service running on a server pool, you must create an SPN pool with multiple SPNs for each server that hosts the service. To specify an SPN or configure an SPN pool, see Configuring Service Principal Names for Kerberos authentication.

For details about the site publish rules settings related to Kerberos, see Offloaded authentication and optional SSO configuration.

Configuring Windows Authentication for Kerberos authentication delegation

For both types of Kerberos authentication delegation, ensure that Windows Authentication is enabled for the web application and that it uses one of the following provider configurations. You specify a provider using the Windows Authentication advanced settings:

  • Negotiate and NTLM (the default values; Negotiate includes Kerberos)
  • Negotiate: Kerberos (remove Negotiate and NTLM)
To configure Windows Authentication providers in IIS Manager

When the web application is Microsoft Exchange Outlook Web App (OWA), ensure that Integrated Windows authentication is also enabled.

To access the Integrated Windows authentication setting:

  1. From the Exchange Management Console, in the virtual directory you want to configure, under Server Configuration, select Client Access.
  2. Select the server that hosts the OWA virtual directory, and then click the Outlook Web App tab.
  3. In the work pane, select the virtual directory that you want to configure, and then click Properties.
To configure Integrated Windows authentication for OWA

Configuring Service Principal Names for Kerberos authentication

When you select Kerberos authentication for the authentication delegation in a site publish rule, you must specify a delegated HTTP Service Principal Name (SPN) for each instance of a service that uses Kerberos authentication. If a service runs on more than one server, create an SPN pool for each service instance.

SPN format

<service_type >/<instance_name>:<port_number>/<service_name>

In a FortiWeb site publish configuration, a valid SPN requires the suffix @<domain> (e.g., @DC1.COM).

For example, for an Exchange server that belongs to the domain dc1.com and has the hostname USER-U3LOJFPLH1, the SPN is http/USER-U3LOJFPLH1.dc1.com@DC1.COM.

To configure an SPN for a single server using Kerberos authentication
  1. Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. To configure Kerberos authentication and specify an SPN for an existing site publish rule, select the rule and click Edit. To create a new site publish rule with Kerberos authentication, click Create New.
  3. If the Client Authentication Method is HTML Form Authentication or HTTP Basic Authentication, select Kerberos for Authentication Delegation. If the Client Authentication Method is Client Certificate Authentication, select Kerberos Constrained Delegation for Authentication Delegation. For details, see Click Create New and configure the settings. The settings you select determine which additional settings are displayed: .
  4. For the Delegation Mode, select Single Server.
  5. For the Delegated HTTP Service Principal Name, enter an SPN for the service using Kerberos authentication.
  6. When you are finished configuring the site publish rule, click OK.
To configure an SPN pool for a server pool using Kerberos authentication
  1. Go to Application Delivery > Site Publish > Service Principal Name Pool.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. Click Create New. To add SPNs to an existing SPN pool, select the pool and click Edit.
  3. Enter a name for the pool. You will use this name to select the pool in other parts of the configuration. The maximum length is 63 characters.
  4. Click OK.
  5. To add an SPN to the pool, click Create New.
  6. For IP/Domain, enter the IP or domain of a server that hosts the service.
  7. For Service Principal Name, enter the SPN of a server that hosts the service. For details, see SPN format.
  8. Click OK.
  9. Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
  10. To create a new site publish rule with Kerberos authentication, click Create New. To configure Kerberos authentication and specify an SPN pool for an existing site publish rule, select the rule and click Edit.
  11. If the Client Authentication Method is HTML Form Authentication or HTTP Basic Authentication, select Kerberos for Authentication Delegation. If the Client Authentication Method is Client Certificate Authentication, select Kerberos Constrained Delegation for Authentication Delegation. For details, see Click Create New and configure the settings. The settings you select determine which additional settings are displayed: .
  12. For the Delegation Mode, select Server Pool.
  13. For the Service Principal Name Pool, select a configured SPN pool.
  14. When you are finished configuring the site publish rule, click OK.
See also

Using Kerberos authentication delegation

You can configure FortiWeb to use the Kerberos protocol for authentication delegation. Kerberos authentication uses tickets that are encrypted and decrypted by secret keys and do not contain user passwords. FortiWeb uses Kerberos to give clients it has already authenticated access to web applications, not for the initial authentication.

Types of Kerberos authentication delegation

FortiWeb’s site publish feature supports two different types of Kerberos authentication delegation. The type you use depends on the client authentication method that you specify:

  • Regular Kerberos delegation—Users enter a user name and password in an HTML authentication form (the HTML Form Authentication or HTTP Basic Authentication site publish rule options). FortiWeb then obtains a Kerberos service ticket on behalf of the client to allow it to access the specified web application.
  • Kerberos constrained delegationFortiWeb verifies a user’s SSL certificate using the certificate authority specified in a server policy or server pool member configuration (Client Certificate Authentication). FortiWeb then obtains a Kerberos service ticket on behalf of the client to allow it to access the specified web application.

    This authentication delegation configuration requires you to create an Active Directory user for FortiWeb that can act on behalf of the web application. For details, see To create an Active Directory (AD) user for FortiWeb.

If you enable Kerberos authentication for a service, you must specify a delegated HTTP Service Principal Name (SPN) in a site publish rule; if your configuration includes a service running on a server pool, you must create an SPN pool with multiple SPNs for each server that hosts the service. To specify an SPN or configure an SPN pool, see Configuring Service Principal Names for Kerberos authentication.

For details about the site publish rules settings related to Kerberos, see Offloaded authentication and optional SSO configuration.

Configuring Windows Authentication for Kerberos authentication delegation

For both types of Kerberos authentication delegation, ensure that Windows Authentication is enabled for the web application and that it uses one of the following provider configurations. You specify a provider using the Windows Authentication advanced settings:

  • Negotiate and NTLM (the default values; Negotiate includes Kerberos)
  • Negotiate: Kerberos (remove Negotiate and NTLM)
To configure Windows Authentication providers in IIS Manager

When the web application is Microsoft Exchange Outlook Web App (OWA), ensure that Integrated Windows authentication is also enabled.

To access the Integrated Windows authentication setting:

  1. From the Exchange Management Console, in the virtual directory you want to configure, under Server Configuration, select Client Access.
  2. Select the server that hosts the OWA virtual directory, and then click the Outlook Web App tab.
  3. In the work pane, select the virtual directory that you want to configure, and then click Properties.
To configure Integrated Windows authentication for OWA

Configuring Service Principal Names for Kerberos authentication

When you select Kerberos authentication for the authentication delegation in a site publish rule, you must specify a delegated HTTP Service Principal Name (SPN) for each instance of a service that uses Kerberos authentication. If a service runs on more than one server, create an SPN pool for each service instance.

SPN format

<service_type >/<instance_name>:<port_number>/<service_name>

In a FortiWeb site publish configuration, a valid SPN requires the suffix @<domain> (e.g., @DC1.COM).

For example, for an Exchange server that belongs to the domain dc1.com and has the hostname USER-U3LOJFPLH1, the SPN is http/USER-U3LOJFPLH1.dc1.com@DC1.COM.

To configure an SPN for a single server using Kerberos authentication
  1. Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. To configure Kerberos authentication and specify an SPN for an existing site publish rule, select the rule and click Edit. To create a new site publish rule with Kerberos authentication, click Create New.
  3. If the Client Authentication Method is HTML Form Authentication or HTTP Basic Authentication, select Kerberos for Authentication Delegation. If the Client Authentication Method is Client Certificate Authentication, select Kerberos Constrained Delegation for Authentication Delegation. For details, see Click Create New and configure the settings. The settings you select determine which additional settings are displayed: .
  4. For the Delegation Mode, select Single Server.
  5. For the Delegated HTTP Service Principal Name, enter an SPN for the service using Kerberos authentication.
  6. When you are finished configuring the site publish rule, click OK.
To configure an SPN pool for a server pool using Kerberos authentication
  1. Go to Application Delivery > Site Publish > Service Principal Name Pool.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. Click Create New. To add SPNs to an existing SPN pool, select the pool and click Edit.
  3. Enter a name for the pool. You will use this name to select the pool in other parts of the configuration. The maximum length is 63 characters.
  4. Click OK.
  5. To add an SPN to the pool, click Create New.
  6. For IP/Domain, enter the IP or domain of a server that hosts the service.
  7. For Service Principal Name, enter the SPN of a server that hosts the service. For details, see SPN format.
  8. Click OK.
  9. Go to Application Delivery > Site Publish > Site Publish and select the Site Publish Rule tab.
  10. To create a new site publish rule with Kerberos authentication, click Create New. To configure Kerberos authentication and specify an SPN pool for an existing site publish rule, select the rule and click Edit.
  11. If the Client Authentication Method is HTML Form Authentication or HTTP Basic Authentication, select Kerberos for Authentication Delegation. If the Client Authentication Method is Client Certificate Authentication, select Kerberos Constrained Delegation for Authentication Delegation. For details, see Click Create New and configure the settings. The settings you select determine which additional settings are displayed: .
  12. For the Delegation Mode, select Server Pool.
  13. For the Service Principal Name Pool, select a configured SPN pool.
  14. When you are finished configuring the site publish rule, click OK.
See also