Prisma Access
Configure Kerberos Authentication for Explicit Proxy Deployments
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure Kerberos Authentication for Explicit Proxy Deployments
Find out how to configure Kerberos authentication for Explicit Proxy on
Prisma Access
.Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Configure Kerberos Authentication for Explicit Proxy Deployments (Strata Cloud Manager)
Strata Cloud Manager
)- Set up a Kerberos authentication profile.The profile defines how Explicit Proxy connects to the Kerberos server for mobile user authentication.
- Go toandManageConfigurationIdentity ServicesAuthenticationAuthentication ProfilesAdd Profile.If you're using Strata Cloud Manager, go toandManageConfigurationNGFW andPrisma AccessIdentity ServicesAuthenticationAuthentication ProfilesAdd Profile.
- Select theAuthentication Method:Kerberos.
- Enter theProfile Nameto identify the server profile.The authentication profile specifies the server profile that the portal or gateways use when they authenticate users.
- Enter theKerberos Realm(up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXMP.COM has the realm EXMP.COM.
- Add theUsers Allowed to Authenticatewith this profile.
- To select all users,Match all.
- If you’re using the Cloud Identity Engine to populate the list of users, select the users from a list, or selectallto allow all users to authenticate.
- To add local users that can log in using Kerberos,Add Local User, add theName, and create aPassword.
- When configuring user authentication and user mapping, use a format of userPrincipalName (UPN); other formats (such as samAccountName) are not supported.
- Unicode character usernames are not supported.
- Saveyour changes.
- Associate the authentication profile with an authentication method.
- Go to.ManageService SetupExplicit ProxyUser AuthenticationIf you're using Strata Cloud Manager, go to.WorkflowsPrisma AccessSetupExplicit ProxyUser Authentication
- Select theConnection Name.
- Select anAuthentication MethodofKerberosand select the KerberosProfileyou created.
- Saveyour changes.
- (Optional)Add the egress IP addresses of the branch or campus location where your users, servers, IoT devices, or headless machines are located to the list of trusted Explicit Proxy addresses.You need to do this only if you want toSkip Authenticationfor specific IP addresses orUse X-Authenticated User (XAU) header on incoming HTTP/HTTPS requests for identity.
- Go to.ManageService SetupExplicit ProxyAdvanced Security SettingsIf you're using Strata Cloud Manager, go to.WorkflowsPrisma AccessSetupExplicit ProxyAdvanced Security Settings
- Add Address(one or more) to theTrusted Source Addressfield.If you do not add the egress endpoint IP addresses to the trusted list, Explicit Proxy forces users and machines to authenticate with SAML as well as Kerberos.Enter a maximum of 100,000 IP addresses.
- Saveyour changes.
- Create an allow-all policy rule for user authentication.
- Select.ManageConfigurationNGFW andPrisma AccessSecurity ServicesSecurity PolicyAdd RulePre Rules.
- Name the rule.
- Set all required match criteria toAny.
- Set Users toKnown
- Set Action toAllow.
- Savethe rule.
- Verify that Kerberos authentication is working withPrisma Accessby viewing the traffic and authentication logs.
- (Decrypted traffic only) Go toand check that the Kerberos authentication is working.ActivityLog ViewerFirewall/TrafficIf you're using Strata Cloud Manager, go to.Incidents & AlertsLog ViewerFirewall/TrafficDecrypted traffic displays the user name in the traffic logs.
- (Undecrypted traffic only) Go toand check that Kerberos authentication is working correctly.ActivityLog ViewerFirewall/AuthenticationIf you're using Strata Cloud Manager, go to.Incidents & AlertsLog ViewerFirewall/AuthenticationThe following fields provide more information about the authentication event:
- Object—The website the user was attempting to access before being redirected to Kerberos to authenticate.
- Auth Event—The status of the authentication attempt.Authentication Successindicates that the authentication event was successful;Authentication Failureindicates that the attempt failed and generates a log.
- Authentication Description—If the authentication attempt failed, additional information about the type of failure.For example,user not allowedindicates that the user or group is not allowed to use Kerberos to authenticate, possible because it was not added to theAllow Listin the authentication profile.
Configure Kerberos Authentication for Explicit Proxy Deployments (Panorama)
Panorama
)Find out how to configure Kerberos authentication for Explicit Proxy on
Prisma Access
.- Set up a Kerberos authentication profile.The profile defines how Explicit Proxy connects to the Kerberos server for mobile user authentication.
- Go to.DeviceAuthentication Profile+ Add
- Select theType:Kerberos.
- Enter aNameto identify the authentication profile.
- Enter theKerberos Realm(up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXMP.COM has the realm EXMP.COM.
- Importthe Kerberos Keytab you created earlier.
- Add users allowed to authenticate with this profile.
- SelectAdvanced+ Add
- To select all users, select.all
- If you’re using the Cloud Identity Engine to populate the list of users, select the users from a list, or selectallto allow all users to authenticate.
- To add local users that can log in using Kerberos, type in their usernames.
- When configuring user authentication and user mapping, use a format of userPrincipalName (UPN); other formats (such as samAccountName) are not supported.
- Unicode character usernames are not supported.
- Saveyour changes.
- Associate the authentication profile with an authentication method.
- Go to.PanoramaCloud ServicesConfiguration+ Configure
- Set theExplicity Proxy FQDN.
- Select the KerberosProfileyou created.
- SelectOKto save your changes.
- (Optional)Add the egress IP addresses of the branch or campus location where your users, servers, IoT devices, or headless machines are located to the list of trusted Explicit Proxy addresses.You need to do this only if you want toSkip Authenticationfor specific IP addresses orUse X-Authenticated User (XAU) header on incoming HTTP/HTTPS requests for identity.
- Go to.PanoramaCloud ServicesConfigurationSettings gearAuthentication Settings
- Addaddresses to theTrusted Source Addressfield.If you do not add the egress endpoint IP addresses to the trusted list, Explicit Proxy forces users and machines to authenticate with SAML as well as Kerberos.Enter a maximum of 100,000 IP addresses.
- SelectOKto save your changes.
- Create an allow-all policy rule for user authentication.
- Select.PoliciesPre Rules+ Add
- Name the rule.
- SelectSource
- Set Source User toknown-user
- Set all other required values toAny.
- SelectOKto save the rule.
- Verify that Kerberos authentication is working withPrisma Accessby viewing the traffic and authentication logs.
- (Decrypted traffic only) Go toand check that the Kerberos authentication is working.MonitorLogsTrafficDecrypted traffic displays the user name in the traffic logs.
- (Undecrypted traffic only) Go toand check that Kerberos authentication is working correctly.MonitorLogsAuthenticationThe following fields provide more information about the authentication event:
- Object—The website the user was attempting to access before being redirected to Kerberos to authenticate.
- Auth Event—The status of the authentication attempt.Authentication Successindicates that the authentication event was successful;Authentication Failureindicates that the attempt failed and generates a log.
- Authentication Description—If the authentication attempt failed, additional information about the type of failure.For example,user not allowedindicates that the user or group is not allowed to use Kerberos to authenticate, possibly because it was not added to theAllow Listin the authentication profile.