Scribd
Upload
723 views53 pages

FortiAuthenticator FSSO Authentication User Guide

This document discusses configuring Kerberos authentication between a FortiGate firewall and a FortiAuthenticator appliance. It provides instructions on setting up the Kerberos realm and required accounts, generating a keytab file, adding service principal names, and testing authentication. Screenshots show the debugging of an authentication and groups retrieved via FSSO. The document also contains information on configuring FortiClient VPN settings to support this SSO solution.

Uploaded by

wallace9867
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
723 views53 pages

FortiAuthenticator FSSO Authentication User Guide

This document discusses configuring Kerberos authentication between a FortiGate firewall and a FortiAuthenticator appliance. It provides instructions on setting up the Kerberos realm and required accounts, generating a keytab file, adding service principal names, and testing authentication. Screenshots show the debugging of an authentication and groups retrieved via FSSO. The document also contains information on configuring FortiClient VPN settings to support this SSO solution.

Uploaded by

wallace9867
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

FortiGate

([Link])

Router
([Link])
LABWINXP
([Link])
LABWIN7
([Link])
WIN2008SVR
([Link])
FortiAuthenticator
([Link])

RADIUS Proxy User Guide

FortiAuthenticator REST API


Solution

FW60CA3911000454 # diag debug authd fsso list


----FSSO logons---IP: [Link] User: CWINDSOR Groups: CN=CARL
WINDSOR,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM+CN=ADMINISTRATORS,CN=BUILTIN,DC=CORP,D
C=EXAMPLE,DC=COM+CN=DENIED RODC PASSWORD REPLICATION
GROUP,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM+CN=DOMAIN
ADMINS,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM+CN=STAFF,CN=USERS,DC=CORP,DC=EXAMPLE,DC
=COM+CN=FW_ADMIN,DC=CORP,DC=EXAMPLE,DC=COM+CN=SSL_USERS,DC=CORP,DC=EXAMPLE,DC=COM
+CN=DOMAIN USERS,CN=USERS,DC=CORP,DC=EXAMPLE,DC=COM Workstation: [Link]
Total number of logons listed: 1, filtered: 0
----end of FSSO logons---FW60CA3911000454 #

Kerberos realm name:

[Link]

Domain NetBIOS name:

CORP

FortiAuthenticator NetBIOS name:

FAC31

Administrator username:

DomainAdmin

Administrator password:

<password>


Name:

fac31

IP address:

[Link]

> nslookup [Link]


Server:
[Link]
Address 1: [Link]
Name:
[Link]
Address 1: [Link]

set OUTFILE=c:\[Link]
set USERNAME=KrbSvcUser@[Link]
set PRINC=HTTP/[Link]@[Link]
set CRYPTO=all
set PASSWD=pa$$w0rd
set PTYPE=KRB5_NT_PRINCIPAL
ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ
%PRINC% -crypto %CRYPTO% -ptype %PTYPE%

KrbSvcUser@[Link]

ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r


"(servicePrincipalName=HTTP*)" -p subtree

dn: CN= KrbSvcUser,CN=Users,DC=corp,DC=example,DC=com


changetype: add
servicePrincipalName: HTTP/[Link]
servicePrincipalName: HTTP/[Link]

setspn D HTTP/ HTTP/[Link] KrbSvcUser

config user group


edit "Dummy_Group"
next
end

<html>
<body>
<script type="text/javascript">
var URI_string = [Link];
setTimeout(function() {

[Link]=[Link] %%PROTURI%%;
}
, 1000);
</script>
<h2>
Redirecting.....
</h2>
</body>
</html>


[Link]

[Link]

<?xml version="1.0" encoding="UTF-8" ?>


<forticlient_configuration>
<fssoma>
<enabled>1</enabled>
<serveraddress>[Link]:8001</serveraddress>
<presharedkey>fortinet1234</presharedkey>
</fssoma>
</forticlient_configuration>

<iframe src="[Link] width="250"


height="30" frameborder="0" scrolling="no"
style="padding:5px;"></iframe>

User-name
Fortinet-Client-IP
Fortinet-Group-Name

= <Username>
= <Client IP>
= <Group Membership>

(Optional)

Username
IP
Group

= [Link]
= [Link]
= FW_Admins

(Optional)

curl -k -v -u "admin:zeyDZXmP6GbKcerqdWWEYNTnH2TaOCz5HTp2dAVS" -d
'{"event":"0","username":"cwindsor","user_ip":"[Link]",user_
groups:FW_Admins}' -H "Content-Type: application/json"
[Link]

curl -k -v -u "admin:zeyDZXmP6GbKcerqdWWEYNTnH2TaOCz5HTp2dAVS" -d
'{"event":"1","username":"cwindsor","user_ip":"[Link]"}' -H
"Content-Type: application/json"
[Link]

netsh firewall set service RemoteAdmin enable

C:\WINDOWS>wmic
wmic:root\cli>/user: CORP\DomainAdmin
Enter the password :********
wmic:root\cli>/node: [Link]
wmic:root\cli>computersystem get username /value
UserName=CORP\atano
wmic:root\cli>

Read

Read Member Of

Event Log Readers

Remote Management Users

Domain Admin
Domain Admin
Domain User
Domain Admin
Domain Admin
Domain User

You might also like