Set Up Kerberos Authentication

Kerberos is a computer network authentication protocol that uses
tickets
to allow nodes that communicate over a non-secure network to prove their identity to one another in a secure manner.
Kerberos authentication is supported on Windows (7, 8, and 10) and macOS (10.10 and later releases) endpoints. Kerberos authentication for macOS endpoints requires a minimum GlobalProtect app version of 4.1.0.
  1. Create a server profile.
    The server profile identifies the external authentication service and instructs the firewall on how to connect to that authentication service and access the authentication credentials for your users.
    1. Select
      Device
      Server Profiles
      Kerberos
      , and then
      Add
      a Kerberos server profile.
    2. Enter a
      Profile Name
      , such as
      GP-User-Auth
      .
    3. If this profile is for a firewall with multiple virtual systems capability, select a virtual system or
      Shared
      as the
      Location
      where the profile is available.
    4. Click
      Add
      in the
      Servers
      area, and then enter the following information for connecting to the authentication server:
      • Server
        Name
      • IP address of FQDN of the
        Kerberos Server
      • Port
    5. Click
      OK
      to save the server profile.
  2. (
    Optional
    ) Create an authentication profile.
    The authentication profile specifies the server profile that the portal or gateways use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or more client authentication profile. For information on how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.
    To enable users to connect and change their expired passwords without administrative intervention, consider using Remote Access VPN with Pre-Logon.
    1. Select
      Device
      Authentication Profile
      , and then
      Add
      a new profile.
    2. Enter a
      Name
      for the profile, and then select
      Kerberos
      as the authentication
      Type
      .
    3. Select the Kerberos authentication
      Server Profile
      that you created in step 1.
    4. Specify the
      User Domain
      and
      Username Modifier
      . The endpoint combines these values to modify the domain/username string that a user enters during login. The endpoint uses the modified string for authentication and the
      User Domain
      value for User-ID group mapping. Modifying user inputs is useful when the authentication service requires domain/username strings in a particular format but you do not want to rely on users entering the domain correctly. You can select from the following options:
      • To send the unmodified user input, leave the
        User Domain
        blank (default) and set the
        Username Modifier
        to the variable
        %USERINPUT%
        (default).
      • To prepend a domain to the user input, enter a
        User Domain
        and set the
        Username Modifier
        to
        %USERDOMAIN%\%USERINPUT%
        .
      • To append a domain to the user input, enter a
        User Domain
        and set the
        Username Modifier
        to
        %USERINPUT%@%USERDOMAIN%
        .
      If the
      Username Modifier
      includes the
      %USERDOMAIN%
      variable, the
      User Domain
      value replaces any domain string that the user enters. If the
      User Domain
      is blank, the device removes any user-entered domain string.
    5. Configure Kerberos single sign-on (SSO) if your network supports it.
      • Enter the
        Kerberos Realm
        (up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXAMPLE.LOCAL has the realm EXAMPLE.LOCAL.
      • Import
        a
        Kerberos Keytab
        file. When prompted,
        Browse
        for the keytab file, and then click
        OK
        . During authentication, the endpoint first attempts to establish SSO using the keytab. If it is successful, and the user attempting access is in the
        Allow List
        , authentication succeeds immediately. Otherwise, the authentication process falls back to manual (username/password) authentication using the specified authentication
        Type
        . The
        Type
        does not have to be Kerberos. To change this behavior so users can authenticate using only Kerberos, set
        Use Default Authentication on Kerberos Authentication Failure
        to
        No
        in the GlobalProtect portal agent configuration.
    6. On the
      Advanced
      tab,
      Add
      an
      Allow List
      to select the users and user groups that are allowed to authenticate with this profile. The
      all
      option allows every user to authenticate with this profile. By default, the list has no entries, which means no users can authenticate.
    7. Click
      OK
      .
  3. Commit the configuration.
    Click
    Commit
    .

Related Documentation