Scribd
Upload
445 views

FortiAuthenticator FSSO Authentication User Guide

This document discusses configuring Kerberos authentication between a FortiGate firewall and a FortiAuthenticator appliance. It provides instructions on setting up the Kerberos realm and required accounts, generating a keytab file, adding service principal names, and testing authentication. Screenshots show the debugging of an authentication and groups retrieved via FSSO. The document also contains information on configuring FortiClient VPN settings to support this SSO solution.

Uploaded by

wallace9867
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
445 views

FortiAuthenticator FSSO Authentication User Guide

This document discusses configuring Kerberos authentication between a FortiGate firewall and a FortiAuthenticator appliance. It provides instructions on setting up the Kerberos realm and required accounts, generating a keytab file, adding service principal names, and testing authentication. Screenshots show the debugging of an authentication and groups retrieved via FSSO. The document also contains information on configuring FortiClient VPN settings to support this SSO solution.

Uploaded by

wallace9867
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

FortiGate

(192.168.0.254)

Router
(192.168.1.254)
LABWINXP
(192.168.1.100)
LABWIN7
(192.168.1.101)
WIN2008SVR
(192.168.1.2)
FortiAuthenticator
(192.168.1.3)

RADIUS Proxy User Guide

FortiAuthenticator REST API


Solution

FW60CA3911000454 # diag debug authd fsso list


----FSSO logons---IP: 192.168.0.152 User: CWINDSOR Groups: CN=CARL
WINDSOR,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM+CN=ADMINISTRATORS,CN=BUILTIN,DC=CORP,D
C=EXAMPLE,DC=COM+CN=DENIED RODC PASSWORD REPLICATION
GROUP,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM+CN=DOMAIN
ADMINS,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM+CN=STAFF,CN=USERS,DC=CORP,DC=EXAMPLE,DC
=COM+CN=FW_ADMIN,DC=CORP,DC=EXAMPLE,DC=COM+CN=SSL_USERS,DC=CORP,DC=EXAMPLE,DC=COM
+CN=DOMAIN USERS,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM Workstation: 192.168.0.152
Total number of logons listed: 1, filtered: 0
----end of FSSO logons---FW60CA3911000454 #

Kerberos realm name:

CORP.EXAMPLE.COM

Domain NetBIOS name:

CORP

FortiAuthenticator NetBIOS name:

FAC31

Administrator username:

DomainAdmin

Administrator password:

<password>


Name:

fac31

IP address:

192.168.0.122

> nslookup fac31.corp.example.com


Server:
192.168.1.2
Address 1: 192.168.1.2
Name:
fac31.corp.example.com
Address 1: 192.168.0.122

set OUTFILE=c:\fac31.keytab
set [email protected]
set PRINC=HTTP/[email protected]
set CRYPTO=all
set PASSWD=pa$$w0rd
set PTYPE=KRB5_NT_PRINCIPAL
ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ
%PRINC% -crypto %CRYPTO% -ptype %PTYPE%

[email protected]

ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r


"(servicePrincipalName=HTTP*)" -p subtree

dn: CN= KrbSvcUser,CN=Users,DC=corp,DC=example,DC=com


changetype: add
servicePrincipalName: HTTP/fac31.corp.example.com
servicePrincipalName: HTTP/fac30.corp.example.com

setspn D HTTP/ HTTP/fac30.corp.example.com KrbSvcUser

config user group


edit "Dummy_Group"
next
end

<html>
<body>
<script type="text/javascript">
var URI_string = document.location;
setTimeout(function() {

document.location.href=http://fac31.corp.example.com/login/kerbauth?user_continue_url= %%PROTURI%%;
}
, 1000);
</script>
<h2>
Redirecting.....
</h2>
</body>
</html>


fac31.corp.example.com

http://<FAC_URL>/login/kerbauth?user_continue_url=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttp%2Fwww.google.com%2F

<?xml version="1.0" encoding="UTF-8" ?>


<forticlient_configuration>
<fssoma>
<enabled>1</enabled>
<serveraddress>192.168.1.123:8001</serveraddress>
<presharedkey>fortinet1234</presharedkey>
</fssoma>
</forticlient_configuration>

<iframe src="https://192.168.0.123/modules/login/" width="250"


height="30" frameborder="0" scrolling="no"
style="padding:5px;"></iframe>

User-name
Fortinet-Client-IP
Fortinet-Group-Name

= <Username>
= <Client IP>
= <Group Membership>

(Optional)

Username
IP
Group

= john.doe
= 10.1.73.175
= FW_Admins

(Optional)

curl -k -v -u "admin:zeyDZXmP6GbKcerqdWWEYNTnH2TaOCz5HTp2dAVS" -d
'{"event":"0","username":"cwindsor","user_ip":"10.1.73.175",user_
groups:FW_Admins}' -H "Content-Type: application/json"
https://192.168.0.122/api/v1/ssoauth/

curl -k -v -u "admin:zeyDZXmP6GbKcerqdWWEYNTnH2TaOCz5HTp2dAVS" -d
'{"event":"1","username":"cwindsor","user_ip":"10.1.73.175"}' -H
"Content-Type: application/json"
https://192.168.0.122/api/v1/ssoauth/

netsh firewall set service RemoteAdmin enable

C:\WINDOWS>wmic
wmic:root\cli>/user: CORP\DomainAdmin
Enter the password :********
wmic:root\cli>/node: 192.168.1.150
wmic:root\cli>computersystem get username /value
UserName=CORP\atano
wmic:root\cli>

Read

Read Member Of

Event Log Readers

Remote Management Users

Domain Admin
Domain Admin
Domain User
Domain Admin
Domain Admin
Domain User

You might also like