Set Up Kerberos Authentication

Create a server profile.
The server profile identifies the external authentication service and instructs the firewall on how to connect to that authentication service and access the authentication credentials for your users.
Select
Device
Server Profiles
Kerberos
, and then
Add
a Kerberos server profile.
Enter a
Profile Name
, such as
GP-User-Auth
.
If this profile is for a firewall with multiple virtual systems capability, select a virtual system or
Shared
as the
Location
where the profile is available.
Click
Add
in the
Servers
area, and then enter the following information for connecting to the authentication server:
Server
Name
IP address or FQDN of the
Kerberos Server
Port
Click
OK
to save the server profile.
(
Optional
) Create an authentication profile.
The authentication profile specifies the server profile that the portal or gateways use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or more client authentication profile. For information on how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.
To enable users to connect and change their expired passwords without administrative intervention, consider using Remote Access VPN with Pre-Logon.
Select
Device
Authentication Profile
, and then
Add
a new profile.
Enter a
Name
for the profile, and then select
Kerberos
as the authentication
Type
.
Select the Kerberos authentication
Server Profile
that you created in step 1.
Specify the
User Domain
and
Username Modifier
. The endpoint combines these values to modify the domain/username string that a user enters during login. The endpoint uses the modified string for authentication and the
User Domain
value for User-ID group mapping. Modifying user inputs is useful when the authentication service requires domain/username strings in a particular format but you do not want to rely on users entering the domain correctly. You can select from the following options:
To send the unmodified user input, leave the
User Domain
blank (default) and set the
Username Modifier
to the variable
%USERINPUT%
(default).
To prepend a domain to the user input, enter a
User Domain
and set the
Username Modifier
to
%USERDOMAIN%\%USERINPUT%
.
To append a domain to the user input, enter a
User Domain
and set the
Username Modifier
to
%USERINPUT%@%USERDOMAIN%
.
If the
Username Modifier
includes the
%USERDOMAIN%
variable, the
User Domain
value replaces any domain string that the user enters. If the
User Domain
is blank, the device removes any user-entered domain string.
Configure Kerberos single sign-on (SSO) if your network supports it.
Enter the
Kerberos Realm
(up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXAMPLE.LOCAL has the realm EXAMPLE.LOCAL.
Import
a
Kerberos Keytab
file. When prompted,
Browse
for the keytab file, and then click
OK
. During authentication, the endpoint first attempts to establish SSO using the keytab. If it is successful, and the user attempting access is in the
Allow List
, authentication succeeds immediately. Otherwise, the authentication process falls back to manual (username/password) authentication using the specified authentication
Type
. The
Type
does not have to be Kerberos. To change this behavior so users can authenticate using only Kerberos, set
Use Default Authentication on Kerberos Authentication Failure
to
No
in the GlobalProtect portal agent configuration.
On the
Advanced
tab,
Add
an
Allow List
to select the users and user groups that are allowed to authenticate with this profile. The
all
option allows every user to authenticate with this profile. By default, the list has no entries, which means no users can authenticate.
Click
OK
.
Commit the configuration.
Click
Commit
.