Configure FortiWeb to work with Kerberos Delegation

You can use FortiWeb’s site publishing feature to integrate its HTTP authentication capabilities with web services that use Kerberos Delegation authentication. The Kerberos authentication protocol uses “tickets” to control access to web services such as Exchange Outlook Web Application (OWA) and SharePoint. 

This recipe describes both how to configure an IIS web server, Exchange OWA, and SharePoint to support Kerberos authentication and how to configure FortiWeb to control access to these web services.

This recipe assumes that the configuration of your Windows domain elements is complete, including DNS, IIS, Exchange server, SharePoint, and so on.

To ensure Kerberos delegation works properly, do the following:

  • Ensure that the clocks of all the related servers (DC, FortiWeb, and so on) are synchronized.
  • For FortiWeb versions earlier than 5.4.1, ensure that the DNS is valid and reachable.

Configuring web services to use Kerberos authentication

IIS web site

In IIS Manager, access the authentication settings for the appropriate web site and enable Windows Authentication.

By default, both Kerberos and NTLM are enabled.

To customize the authentication, under Actions, click Providers.

In the illustration, the web site is configured to use Kerberos authentication only.

Exchange OWA

In the Exchange Management Console, in the console tree, under Server Configuration, select Client Access.

In the Client Access results pane, choose the server name (in this example, USER-LHLGG566P0).

In the work pane for the server, on the Outlook Web App tab, double-click owa (Default Web Site).

On the Authentication tab, select Use one or more standard authentication methods, and then select Integrated Windows authentication.

Alternatively, use IIS Manager to configure customized authentication:

In IIS Manager, in the Connections tree, under Default Web site, select owa.

Then, under Actions, click Providers.

For example, in the illustration, the web site is configured to use Negotiate and NTLM.



Use one of the following methods to obtain the application pool identity of SharePoint server (a domain account that was created when you installed SharePoint):

  • In IIS Manager, in the Connections tree, click Application Pools. The domain and application pool identity for each list entry are displayed in the Identity column.

    For example, in the illustration, the application pool identity for the server with the name SharePoint – 80 and the domain FWBDEV ( is SPFarmAdmin.

  • In SharePoint Central Administration, click Security. Then, under General Security, click Configure managed accounts.

Create Service Principal Names (SPNs) for the application pool identity:

On your domain controller (DC), use Windows PowerShell to execute the following commands:

$setspn -S http/<hostname>           fwbdev\SPFarmAdmin

$setspn -S http/<hostname> fwbdev\SPFarmAdmin 

where <hostname> is the server where SharePoint is located.

Use the following command to confirm the SPNs:

$setspn -l fwbdev\SPFarmAdmin

The illustration shows an example result.


On your domain controller (DC), enable the HTTP delegation feature for the SharePoint server:

In the Active Directory Users and Computers console tree, under the appropriate domain, click Computers.

Open the properties for the SharePoint item (SP2013 in the illustration).

Use the Delegation tab to select the http service.


On SharePoint, select Kerberos as the Windows authentication method:

In SharePoint Central Administration, under Applications Management, click Manage web applications.

Select the SharePoint item (in this example, SharePoint – 80). On the Authentication tab, click Default, and then select Negotiate (Kerberos) (see illustration).

Do one of the following to enable application pool credentials for SharePoint: 
  • In the IIS Manager, in Advanced Settings for the SharePoint server (in this example, SharePoint – 80), for Extended Protection, select Off, and clear the Enable Kernel-mode authentication option.

  • In PowerShell, enter the following commands:

    $cd C:\Windows\System32\inetsrv

    $.\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true

For better performance, set the <windowsAuthentication> element instead of disabling Kernel-mode authentication.

To confirm that the value for useAppPoolCredentials is true, open the file C:\Windows\System32\inetsrv\config\applicationHost.config.

FortiWeb configuration

FortiWeb site publishing provides the following two options for accessing a Kerberos-enabled web service:

  • Regular Kerberos delegation — For site publishing configurations that use HTML Form Authentication or HTTP Basic Authentication.
  • Kerberos constrained delegation — For site publishing configurations that use Client Certificate Authentication.

When you specify a realm, ensure you enter the value using all capital letters (for example, FWBDEV.COM).

For Kerberos delegation, Fortinet recommends the login format <realm>/<username>. For single domain environments, you can use the Default Domain Prefix Support option to automatically add the realm (domain) value for users (see the example for Kerberos constrained delegation).

1. Configure the Kerberos Key Distribution Center (KDC)

Go to User > Remote Server > KDC Server.

Specify the Delegated Realm value using capital letters only (in this example, FWBDEV.COM).


2. Configure site publishing


To configure the site publishing settings, go to Application Delivery > Site Publish > Site Publish Rule.

Continue with the instructions for type of Kerberos delegation you want to implement: regular or constrained.

Configure regular Kerberos delegation

For Authentication Delegation, select Kerberos, and then specify the Delegated HTTP Service Principal Name value.

In this example, the service is Exchange OWA with the service principal name (SPN) http/ The SPN has three parts:

  • Protocol – http
  • Exchange server hostname – USER-LHLGG566P0

    This value is case-insensitive. You can also use the full name (for example,

  • Realm – FWBDEV.COM

    Specify this value using capital letters only.

Configure Kerberos constrained delegation

Create an Active Directory (AD) user that FortiWeb can use for authentication delegation and a keytab file that corresponds to the AD user.

Ensure that the account and its password never expire.

To create the SPN for the account, use the following SetSPN utility command:

$setspn -S

The “Users” section in the FortiWeb Administration Guide provides detailed instruction for creating this domain account. 

To upload the keytab file you created using the FortiWeb AD user, go to Application Delivery > Site Publish > Keytab File

In this example, the service is SharePoint.

For the site publish rule, for Client Authentication Method, select Client Certificate Authentication.

Ensure any server policy that uses this site publish rule is configured for client certificate authentication.

For information on the Delegated HTTP Service Principal Name value, see the instructions for configuring regular Kerberos delegation.

For Service Principal Name for Keytab File, enter the SPN of the AD account that you created for FortiWeb.

For Keytab File, select the keytab file you uploaded earlier.

Username Location in Certificate allows you to specify a field in the certificate that contains the username to use (in this example, Subject or Subject Alternative Name (SAN). This example uses the user principal name (UPN or RFC822 name) in the certificate subject alternative name (SAN), which is the most exact.

When you use Kerberos Delegation, Fortinet recommends that you require users to log in using both a domain and username.

Default Domain Prefix Support and Default Domain Prefix allow you to automatically add the domain value so that users log in with just a username.



For further reading, check out the “Users” section in the FortiWeb Administration Guide.