End-of-Life (EoL)
Kerberos Authentication Support for macOS
The GlobalProtect app for macOS endpoints (10.10 and
later releases) now supports Kerberos V5 SSO.
Software Support
: Starting with GlobalProtect™
App 4.1 and with PAN-OS® 8.0 and later releasesOS Support
:
macOS 10.10 and later releasesThe GlobalProtect™ app for
Mac endpoints now supports Kerberos V5 single sign-on (SSO) for GlobalProtect
portal and gateway authentication. Kerberos SSO maintains a seamless
logon experience by providing accurate User-ID™ information without
user interaction. Networks that support Kerberos SSO require end
users to log in only during initial network access. After the initial
login, end users can access any Kerberos-enabled service in the
network (such as webmail) without having to log in again until the
SSO session expires (the SSO session duration is established by
the Kerberos administrator). This authentication method helps identify
users for user and HIP policy enforcement.
If you enable both
Kerberos SSO and an external authentication service (such
as RADIUS), GlobalProtect attempts SSO first. You can configure
GlobalProtect to fall back to an external authentication service
when SSO fails or you can configure GlobalProtect to use only Kerberos
SSO for authentication.
In this implementation, the GlobalProtect
portal and gateway act as Kerberos service principals and the GlobalProtect
app acts as a user principal that authenticates end users with a
Kerberos service ticket from the Key Distribution Center (KDC).
The
following items must be in place for the GlobalProtect app for macOS
endpoints to support Kerberos SSO:
- A Kerberos infrastructure, which includes a KDC with an authentication server (AS) and a ticket-granting service (TGS).GlobalProtect supports the following KDCs:
- Microsoft Active Directory on Windows Server 2008 R2
- Microsoft Active Directory on Windows Server 2012
- MIT Kerberos V5
The KDC must be reachable from the endpoint on which the Globalprotect app is running. In most instances, the KDC is reachable only from inside the enterprise network, which means the GlobalProtect app can use Kerberos authentication only when the endpoint is internal. However, if the KDC is reachable from outside the enterprise network (from the Internet), the GlobalProtect app can use Kerberos authentication when the endpoint is external.If the user certificate store contains at least one certificate that is issued by the same CA as the certificate used for pre-logon tunnel establishment, you can also use Kerberos authentication with pre-logon to enable the GlobalProtect app to use Kerberos authentication when the endpoint is external.When an end user attempts to access protected network resources using Kerberos authentication, the AS grants the user a Ticket to Get Tickets (TGT), which is a service request used to generate service tickets from the TGS. The service ticket is then used to authenticate the end user and establish a service session. - A Kerberos service account for each GlobalProtect portal and gateway.Service accounts are required for creating Kerberos keytabs, which are files that contain the principal name and password of each GlobalProtect portal or gateway.
- PAN-OS 8.0 or a later release.
- macOS version 10.10 or a later release.
- Create a Kerberos keytab file.
- Log in to the KDC using your Kerberos service account credentials.
- Open a command prompt and then enter the following command:ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytabThe<principal_name>and<password>are the principal name and password of the GlobalProtect portal or gateway. The<algorithm>must match the algorithm in the service ticket issued by the TGS, which is determined by the Kerberos administrator. If the GlobalProtect portal or gateway is running in FIPS or CC mode, the algorithm must beaes128-cts-hmac-sha1-96oraes256-cts-hmac-sha1-96. If the portal or gateway is not running in FIPS or CC mode, you can also usedes3-cbc-sha1orarcfour-hmac.
- Create a server profile for Kerberos authentication.
- Import the Kerberos keytab file to an authentication profile.
- Select.DeviceAuthentication Profile
- Select an existing authentication profile orAdda new one.
- In theSingle Sign-Onarea, enter theKerberos Realm(up to 127 characters), which is the domain to which the end user belongs. For example, a user with the account name user@EXAMPLE.LOCAL belongs to the EXAMPLE.LOCAL realm.
- ImportaKerberos Keytabfile to the authentication profile.When the Import Keytab dialog opens,Browseto and select the keytab file, and then clickOK.
- ClickOKto save your changes.
- Assign the authentication profile to an internal gateway. If the Kerberos authentication infrastructure is deployed in an external gateway, such as a DMZ, you can also assign the authentication profile to an external gateway.
- Selectto modify an existing gateway orNetworkGlobalProtectGatewaysAdda new one.
- Select an existingSSL/TLS Service Profilefor securing the gateway, orAdda new service profile ().NetworkGlobalProtectGateways<gateway-config>Authentication
- AddaClient Authenticationconfiguration (), and then configure the following settings:NetworkGlobalProtectGateways<gateway-config>Authentication
- Name—Name of the client authentication configuration.
- OS—Operating systems on which the gateway can be accessed.
- Authentication Profile—Authentication profile to which your Kerberos keytab file was imported.
- (Optional)Username Label—Custom username label for GlobalProtect gateway login.
- (Optional)Password Label—Custom password label for GlobalProtect gateway login.
- (Optional)Authentication Message—Message that is displayed when end users authenticate to the gateway.
- ClickOKto save your changes.
- Assign the authentication profile to the GlobalProtect portal.
- Select.NetworkGlobalProtectPortals
- Select an existing portal orAdda new one.
- Select an existingSSL/TLS Service Profilefor securing the portal, orAdda new service profile ().NetworkGlobalProtectPortals<portal-config>Authentication
- AddaClient Authenticationconfiguration (), and then configure the following settings:NetworkGlobalProtectPortals<portal-config>Authentication
- Name—Name of the client authentication configuration.
- OS—Operating systems on which the portal can be accessed.
- Authentication Profile—Authentication profile to which your Kerberos keytab file is imported.
- (Optional)Username Label—Custom username label for GlobalProtect portal login.
- (Optional)Password Label—Custom password label for GlobalProtect portal login.
- (Optional)Authentication Message—Message that is displayed when end users log in to the portal.
- ClickOKto save your changes.
- Configure the GlobalProtect app behavior for Kerberos authentication failure.
- Select.NetworkGlobalProtectPortals
- Select a portal configuration.
- Select the agent configuration that you want to modify, orAdda new one ().NetworkGlobalProtectPortals<portal-config>Agent
- In theApp Configurationsarea (), select one of the following options forNetworkGlobalProtectPortals<portal-config>Agent<agent-config>AppUse Default Authentication on Kerberos Authentication Failure:
- Yes—Enables authentication to fall back so that when Kerberos authentication fails, GlobalProtect authenticates users through the default authentication method.
- No—GlobalProtect can use only Kerberos to authenticate users.
- ClickOKto save your changes.
- ClickOKto complete your configuration.
- Committhe configuration.
Recommended For You
Recommended Videos
Recommended videos not found.