Kerberos Authentication Support for macOS

The GlobalProtect app for macOS endpoints (10.10 and later releases) now supports Kerberos V5 SSO.
Software Support: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.0 and later releases
OS Support: macOS 10.10 and later releases
The GlobalProtect™ app for Mac endpoints now supports Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO maintains a seamless logon experience by providing accurate User-ID™ information without user interaction. Networks that support Kerberos SSO require end users to log in only during initial network access. After the initial login, end users can access any Kerberos-enabled service in the network (such as webmail) without having to log in again until the SSO session expires (the SSO session duration is established by the Kerberos administrator). This authentication method helps identify users for user and HIP policy enforcement.
If you enable both Kerberos SSO and an external authentication service (such as RADIUS), GlobalProtect attempts SSO first. You can configure GlobalProtect to fall back to an external authentication service when SSO fails or you can configure GlobalProtect to use only Kerberos SSO for authentication.
In this implementation, the GlobalProtect portal and gateway act as Kerberos service principals and the GlobalProtect app acts as a user principal that authenticates end users with a Kerberos service ticket from the Key Distribution Center (KDC).
The following items must be in place for the GlobalProtect app for macOS endpoints to support Kerberos SSO:
  • A Kerberos infrastructure, which includes a KDC with an authentication server (AS) and a ticket-granting service (TGS).
    GlobalProtect supports the following KDCs:
    • Microsoft Active Directory on Windows Server 2008 R2
    • Microsoft Active Directory on Windows Server 2012
    • MIT Kerberos V5
    The KDC must be reachable from the endpoint on which the Globalprotect app is running. In most instances, the KDC is reachable only from inside the enterprise network, which means the GlobalProtect app can use Kerberos authentication only when the endpoint is internal. However, if the KDC is reachable from outside the enterprise network (from the Internet), the GlobalProtect app can use Kerberos authentication when the endpoint is external.
    If the user certificate store contains at least one certificate that is issued by the same CA as the certificate used for pre-logon tunnel establishment, you can also use Kerberos authentication with pre-logon to enable the GlobalProtect app to use Kerberos authentication when the endpoint is external.
    When an end user attempts to access protected network resources using Kerberos authentication, the AS grants the user a Ticket to Get Tickets (TGT), which is a service request used to generate service tickets from the TGS. The service ticket is then used to authenticate the end user and establish a service session.
  • A Kerberos service account for each GlobalProtect portal and gateway.
    Service accounts are required for creating Kerberos keytabs, which are files that contain the principal name and password of each GlobalProtect portal or gateway.
  • PAN-OS 8.0 or a later release.
  • macOS version 10.10 or a later release.
  1. Create a Kerberos keytab file.
    1. Log in to the KDC using your Kerberos service account credentials.
    2. Open a command prompt and then enter the following command:
      ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytab
      The <principal_name> and <password> are the principal name and password of the GlobalProtect portal or gateway. The <algorithm> must match the algorithm in the service ticket issued by the TGS, which is determined by the Kerberos administrator. If the GlobalProtect portal or gateway is running in FIPS or CC mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96. If the portal or gateway is not running in FIPS or CC mode, you can also use des3-cbc-sha1 or arcfour-hmac.
  2. Create a server profile for Kerberos authentication.
  3. Import the Kerberos keytab file to an authentication profile.
    1. Select DeviceAuthentication Profile.
    2. Select an existing authentication profile or Add a new one.
      auth-profile_kerberos.png
    3. In the Single Sign-On area, enter the Kerberos Realm (up to 127 characters), which is the domain to which the end user belongs. For example, a user with the account name user@EXAMPLE.LOCAL belongs to the EXAMPLE.LOCAL realm.
    4. Import a Kerberos Keytab file to the authentication profile.
      When the Import Keytab dialog opens, Browse to and select the keytab file, and then click OK.
      auth-profile_kerberos-keytab.png
    5. Click OK to save your changes.
  4. Assign the authentication profile to an internal gateway. If the Kerberos authentication infrastructure is deployed in an external gateway, such as a DMZ, you can also assign the authentication profile to an external gateway.
    1. Select NetworkGlobalProtectGateways to modify an existing gateway or Add a new one.
      gateway-configuration.png
    2. Select an existing SSL/TLS Service Profile for securing the gateway, or Add a new service profile (NetworkGlobalProtectGateways<gateway-config>Authentication).
    3. Add a Client Authentication configuration (NetworkGlobalProtectGateways<gateway-config>Authentication), and then configure the following settings:
      • Name—Name of the client authentication configuration.
      • OS—Operating systems on which the gateway can be accessed.
      • Authentication Profile—Authentication profile to which your Kerberos keytab file was imported.
      • (Optional) Username Label—Custom username label for GlobalProtect gateway login.
      • (Optional) Password Label—Custom password label for GlobalProtect gateway login.
      • (Optional) Authentication Message—Message that is displayed when end users authenticate to the gateway.
    4. Click OK to save your changes.
  5. Assign the authentication profile to the GlobalProtect portal.
    1. Select NetworkGlobalProtectPortals.
    2. Select an existing portal or Add a new one.
      portal-configuration.png
    3. Select an existing SSL/TLS Service Profile for securing the portal, or Add a new service profile (NetworkGlobalProtectPortals<portal-config>Authentication).
    4. Add a Client Authentication configuration (NetworkGlobalProtectPortals<portal-config>Authentication), and then configure the following settings:
      • Name—Name of the client authentication configuration.
      • OS—Operating systems on which the portal can be accessed.
      • Authentication Profile—Authentication profile to which your Kerberos keytab file is imported.
      • (Optional) Username Label—Custom username label for GlobalProtect portal login.
      • (Optional) Password Label—Custom password label for GlobalProtect portal login.
      • (Optional) Authentication Message—Message that is displayed when end users log in to the portal.
    5. Click OK to save your changes.
  6. Configure the GlobalProtect app behavior for Kerberos authentication failure.
    1. Select NetworkGlobalProtectPortals.
    2. Select a portal configuration.
    3. Select the agent configuration that you want to modify, or Add a new one (NetworkGlobalProtectPortals<portal-config>Agent).
    4. In the App Configurations area (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App), select one of the following options for Use Default Authentication on Kerberos Authentication Failure:
      • Yes—Enables authentication to fall back so that when Kerberos authentication fails, GlobalProtect authenticates users through the default authentication method.
      • No—GlobalProtect can use only Kerberos to authenticate users.
        portal-configuration_kerberos-auth-failure.png
    5. Click OK to save your changes.
    6. Click OK to complete your configuration.
  7. Commit the configuration.

Related Documentation