1. Home
    2. GlobalProtect
    3. GlobalProtect App New Features Guide
    4. New Features Released in GlobalProtect App 4.1
    5. Kerberos Authentication Support for macOS
    End-of-Life (EoL)

    Kerberos Authentication Support for macOS

    The GlobalProtect app for macOS endpoints (10.10 and later releases) now supports Kerberos V5 SSO.
    Software Support
    : Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.0 and later releases
    OS Support
    : macOS 10.10 and later releases
    The GlobalProtect™ app for Mac endpoints now supports Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO maintains a seamless logon experience by providing accurate User-ID™ information without user interaction. Networks that support Kerberos SSO require end users to log in only during initial network access. After the initial login, end users can access any Kerberos-enabled service in the network (such as webmail) without having to log in again until the SSO session expires (the SSO session duration is established by the Kerberos administrator). This authentication method helps identify users for user and HIP policy enforcement.
    If you enable both Kerberos SSO and an external authentication service (such as RADIUS), GlobalProtect attempts SSO first. You can configure GlobalProtect to fall back to an external authentication service when SSO fails or you can configure GlobalProtect to use only Kerberos SSO for authentication.
    In this implementation, the GlobalProtect portal and gateway act as Kerberos service principals and the GlobalProtect app acts as a user principal that authenticates end users with a Kerberos service ticket from the Key Distribution Center (KDC).
    The following items must be in place for the GlobalProtect app for macOS endpoints to support Kerberos SSO:
    • A Kerberos infrastructure, which includes a KDC with an authentication server (AS) and a ticket-granting service (TGS).
      GlobalProtect supports the following KDCs:
      • Microsoft Active Directory on Windows Server 2008 R2
      • Microsoft Active Directory on Windows Server 2012
      • MIT Kerberos V5
      The KDC must be reachable from the endpoint on which the Globalprotect app is running. In most instances, the KDC is reachable only from inside the enterprise network, which means the GlobalProtect app can use Kerberos authentication only when the endpoint is internal. However, if the KDC is reachable from outside the enterprise network (from the Internet), the GlobalProtect app can use Kerberos authentication when the endpoint is external.
      If the user certificate store contains at least one certificate that is issued by the same CA as the certificate used for pre-logon tunnel establishment, you can also use Kerberos authentication with pre-logon to enable the GlobalProtect app to use Kerberos authentication when the endpoint is external.
      When an end user attempts to access protected network resources using Kerberos authentication, the AS grants the user a Ticket to Get Tickets (TGT), which is a service request used to generate service tickets from the TGS. The service ticket is then used to authenticate the end user and establish a service session.
    • A Kerberos service account for each GlobalProtect portal and gateway.
      Service accounts are required for creating Kerberos keytabs, which are files that contain the principal name and password of each GlobalProtect portal or gateway.
    • PAN-OS 8.0 or a later release.
    • macOS version 10.10 or a later release.
    1. Create a Kerberos keytab file.
      1. Log in to the KDC using your Kerberos service account credentials.
      2. Open a command prompt and then enter the following command:
        ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytab
        The
        <principal_name>
         and
        <password>
         are the principal name and password of the GlobalProtect portal or gateway. The
        <algorithm>
         must match the algorithm in the service ticket issued by the TGS, which is determined by the Kerberos administrator. If the GlobalProtect portal or gateway is running in FIPS or CC mode, the algorithm must be
        aes128-cts-hmac-sha1-96
         or
        aes256-cts-hmac-sha1-96
        . If the portal or gateway is not running in FIPS or CC mode, you can also use
        des3-cbc-sha1
         or
        arcfour-hmac
        .
    2. Create a server profile for Kerberos authentication.
    3. Import the Kerberos keytab file to an authentication profile.
      1. Select
        Device
        Authentication Profile
        .
      2. Select an existing authentication profile or
        Add
         a new one.
      3. In the
        Single Sign-On
         area, enter the
        Kerberos Realm
         (up to 127 characters), which is the domain to which the end user belongs. For example, a user with the account name user@EXAMPLE.LOCAL belongs to the EXAMPLE.LOCAL realm.
      4. Import
         a
        Kerberos Keytab
         file to the authentication profile.
        When the Import Keytab dialog opens,
        Browse
         to and select the keytab file, and then click
        OK
        .
      5. Click
        OK
         to save your changes.
    4. Assign the authentication profile to an internal gateway. If the Kerberos authentication infrastructure is deployed in an external gateway, such as a DMZ, you can also assign the authentication profile to an external gateway.
      1. Select
        Network
        GlobalProtect
        Gateways
         to modify an existing gateway or
        Add
         a new one.
      2. Select an existing
        SSL/TLS Service Profile
         for securing the gateway, or
        Add
         a new service profile (
        Network
        GlobalProtect
        Gateways
        <gateway-config>
        Authentication
        ).
      3. Add
         a
        Client Authentication
         configuration (
        Network
        GlobalProtect
        Gateways
        <gateway-config>
        Authentication
        ), and then configure the following settings:
        • Name
          —Name of the client authentication configuration.
        • OS
          —Operating systems on which the gateway can be accessed.
        • Authentication Profile
          —Authentication profile to which your Kerberos keytab file was imported.
        • (
          Optional
          )
          Username Label
          —Custom username label for GlobalProtect gateway login.
        • (
          Optional
          )
          Password Label
          —Custom password label for GlobalProtect gateway login.
        • (
          Optional
          )
          Authentication Message
          —Message that is displayed when end users authenticate to the gateway.
      4. Click
        OK
         to save your changes.
    5. Assign the authentication profile to the GlobalProtect portal.
      1. Select
        Network
        GlobalProtect
        Portals
        .
      2. Select an existing portal or
        Add
         a new one.
      3. Select an existing
        SSL/TLS Service Profile
         for securing the portal, or
        Add
         a new service profile (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Authentication
        ).
      4. Add
         a
        Client Authentication
         configuration (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Authentication
        ), and then configure the following settings:
        • Name
          —Name of the client authentication configuration.
        • OS
          —Operating systems on which the portal can be accessed.
        • Authentication Profile
          —Authentication profile to which your Kerberos keytab file is imported.
        • (
          Optional
          )
          Username Label
          —Custom username label for GlobalProtect portal login.
        • (
          Optional
          )
          Password Label
          —Custom password label for GlobalProtect portal login.
        • (
          Optional
          )
          Authentication Message
          —Message that is displayed when end users log in to the portal.
      5. Click
        OK
         to save your changes.
    6. Configure the GlobalProtect app behavior for Kerberos authentication failure.
      1. Select
        Network
        GlobalProtect
        Portals
        .
      2. Select a portal configuration.
      3. Select the agent configuration that you want to modify, or
        Add
         a new one (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        ).
      4. In the
        App Configurations
         area (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>
        App
        ), select one of the following options for
        Use Default Authentication on Kerberos Authentication Failure
        :
        • Yes
          —Enables authentication to fall back so that when Kerberos authentication fails, GlobalProtect authenticates users through the default authentication method.
        • No
          —GlobalProtect can use only Kerberos to authenticate users.
      5. Click
        OK
         to save your changes.
      6. Click
        OK
         to complete your configuration.
    7. Commit
       the configuration.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo