Prisma Access
Requirements and Recommendations for Deploying Kerberos for Explicit Proxy Deployments
Table of Contents
Requirements and Recommendations for Deploying Kerberos for Explicit Proxy
Deployments
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
Before you create a Kerberos keytab to implement Kerberos in an
Explicit Proxy deployment, make sure that your Kerberos deployment has the following
requirements and prerequisites:
- Update your dataplane to PAN-OS 10.1.3 or later versions.
- Make sure that you have a Kerberos account that you can use forPrisma Accessto authenticate servers or devices.An account is required to create a Kerberos keytab, which is a file that contains the principal name and encrypted Kerberos password.
- Make sure that the servers and endpoints are domain-joined, which allows users and machines to securely connect to their work domain using their work network credentials.
- Make sure that you forward Kerberos authentication traffic to port 8081 in the mobile users’ PAC file or in your proxy settings on the endpoint or servers.Explicit Proxy uses port 8081 for Kerberos authentication and port 8080 for SAML authentication.
- Make sure that your Kerberos administrator has the ability to create and export keytabs.
- Make sure that you have the egress IP addresses of the branch or campus location where your servers, IoT devices, or headless machines are located.You add these IP addresses to the list of addresses that are trusted by Explicit Proxy.
- Follow best practices for Kerberos user authentication and creation.It is the Kerberos account administrator’s responsibility to follow best practices to protect their Kerberos environment and prevent passwords from being compromised. Use the following best practices when creating the user accounts, password, and ServicePrincipalNames (SPNs).Kerberos User Account Creation Best Practices:
- Do not reuse admin user accounts.Create a unique account name for the Kerberos account to be used withPrisma AccessExplicit Proxy.
- Do not share this account with any other service; use a dedicated user account forPrisma AccessExplicit Proxy.
- Ensure that the user cannot change the password for the Kerberos account.
- When selecting Kerberos account options, deselectUse Kerberos DES encryption types for this accountandDo not require Kerberos preauthentication.
- Enable AES-128 and AES-256 bit encryption.
- Disable delegation for users.
- Deny the ability to log in to a remote desktop session.
- Do not enable remote control.
- Do not allow users to start programs at logon.
- You can specify users or user groups in the allow list of the Authentication profile you create to limit authentication to only the users or machines that have legitimate business needs.
SPN and Keytab Best Practices:- Make sure that the SPN is not associated with multiple user accounts, which could cause duplicate SPN failures.
- RC4-HMAC-NT uses a weak NTML hash. Follow your organization’s security policies and guidelines to include or exclude the RC5 cipher.
- The DES-CBC-CRC and DES-CBC-MD5 ciphers have been deprecated and are not supported byPrisma Access.
- Rotate the password for the SPN on a regular basis. Follow your organization’s security policies and guidelines for password rotation.
- Follow your organization’s practices for password complexity (for example, create the SPN passwords in a truly random fashion that are not human readable and guessable).
- If you change the password for the service user, or change any other attributes, update and re-generate the new keytab and upload it toPrisma Access.
- If you onboard a new PA region, you must generate a new keytab for that region, as shown in the following steps.
The following example output shows an account that was created using Kerberos best practices.PS C:\Users\Administrator>Get-ADUser example -Properties "*"AccountNotDelegated : True AllowReversiblePasswordEncryption : False CannotChangePassword : True CN : example Deleted : DoesNotRequirePreAuth : False Enabled : True GivenName : PrismaAccess EP Service User KerberosEncryptionType : {AES128, AES256} msDS-SupportedEncryptionTypes : 24 Name : example PasswordExpired : False PasswordNeverExpires : True PasswordNotRequired : False PrincipalsAllowedToDelegateToAccount : {} ProtectedFromAccidentalDeletion : True SamAccountName : example servicePrincipalName : {HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM} ServicePrincipalNames : {HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM} SmartcardLogonRequired : False TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False UserPrincipalName : HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM