Focus

Next-Generation Firewall

Configure Passwordless Authentication

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Configure Passwordless Authentication

Transparently authenticate users to Kerberos-protected applications by using your firewall as a delegation agent, eliminating password entry while maintaining strong security.

Where Can I Use This?	What Do I Need?
Supported on the following platforms: PA-7500 PA-5500 PA-5450 PA-5400 Series PA-3400 PA-1400 PA-500 PA-400 VM-Series	License (perpetual) URL Filtering User-ID Decryption

To simplify authentication and reduce user friction, you can enable passwordless authentication.

Passwordless authentication delegates a ticket on the behalf of the authenticated user, so that users have to log in to authenticate only once. After successfully authenticating, they can access any apps managed by the authentication server until the authentication period expires without having to log in again.

First, create a delegation profile to delegate the ticket on behalf of the authenticated user. Associate the delegation profile with your authentication server profile (in this case Kerberos) and configure an authentication object to use the delegation profile for user authentication.

Next, create a custom URL filter for the URLs of the apps, and then create a Security policy rule that references the custom URL filter. As the final step, create an HTTP header insertion that references the custom URL category.

Now, users just have to log in once to authenticate, and then they can easily switch between apps without having to reauthenticate immediately.

Passwordless authentication supports HTTPS traffic only.

Prepare to deploy passwordless authentication.
1. Enable User-ID in the Kerberos traffic zone.
2. Enable the URL filter feature.
3. Enable decryption.
Configure the Kerberos server profile.
1. Select DeviceServer ProfilesKerberos.
2. Add the Name and IP address of your Kerberos Server.
3. Specify the Port number (typically 88).
4. Click OK.
Define the delegation profile.
1. Select DeviceDelegation Profile.
2. Add a new delegation profile.
3. Specify a Name for the delegation profile.
4. (Panorama only) Select the virtual system Location for the delegation profile.
5. Specify the Kerberos Realm (for example, example.com).
6. Select the Kerberos Server Profile you created in step 2.
7. Import the Kerberos Keytab.
  
  Only include the users who require passwordless authentication in the keytab. Passwordless authentication supports keytabs in the AES 256 format.
8. Click OK.
Configure the authentication object.
1. Select ObjectsAuthentication.
2. Add a new Authentication Enforcement object and specify a Name.
3. Select constrained-delegation as the Authentication Method.
4. Select the Delegation Profile you created in step 3.
5. Click OK.
Define the URL category for the login URLs of the applications that require Kerberos for authentication.
1. Select ObjectsCustom ObjectsURL Category.
2. Add a new URL Category and enter a Name.
3. Add the login URLs for the Sites of all the applications that currently require Kerberos authentication for which you want to enable passwordless authentication.
4. Click OK.
Create the URL filter profile for the login URLs of the allowed applications that require Kerberos for authentication.
1. Select ObjectsSecurity ProfilesURL Filtering.
2. Add a new URL Filtering Profile and enter a Name.
3. Select HTTP Header Insertion then click Add.
4. Add a new header insertion and either Add the Categories of the allowed URLs or enter their Domains.
5. Add a Header with the Name "Authorization" and the Value Negotiate ($apreq)
  
  You must enter the header exactly as displayed above.
6. Click OK twice.
Enable strip ALPN to disable HTTPS traffic.
1. Select ObjectsDecryptionDecryption Profile.
2. Add a Decryption Profile and enter a Name.
3. Select Strip ALPN.
4. Click OK.
Configure a Security policy rule and associate it with the URL Filtering profile.
1. Select Policies.
2. Add a new Security policy rule.
3. Enter a Name for the rule.
4. Select Actions.
5. Select the URL Filtering profile you created in step 6
6. Click OK.
Create a decryption rule to decrypt the necessary traffic.
1. Select PoliciesDecryption.
2. Add a rule to decrypt the traffic between the firewall and Kerberos.
Configure an authentication policy rule and associate it with the URL category.
1. Select PoliciesAuthentication.
2. Add a new Security policy rule.
3. Enter a Name for the rule.
4. For the source zone, source address, and source user, specify the information for the users for whom you want to enable passwordless authentication.
5. For the destination zone and destination address, specify as needed.
6. For the application, specify web-browsing or other relevant applications.
7. Select the URL category you created in step 5.
8. Select the Service type (typically application-default).
9. Select Actions then select Authentication enforcement object you created in step 4.
10. Click OK.

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Next-Generation Firewall Docs

Configure Passwordless Authentication

Next-Generation Firewall Docs

Configure Passwordless Authentication

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner