Palo Alto Networks firewalls and Panorama support Kerberos V5 single sign-on (SSO) to authenticate administrators to the web interface and end users to Captive Portal. A network that supports Kerberos SSO prompts a user to log in only for initial access to the network (for example, logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network (for example, the firewall web interface) without having to log in again until the SSO session expires. (Your Kerberos administrator sets the duration of SSO sessions.) If you enable both Kerberos SSO and external authentication services (for example, a RADIUS server), the firewall or Panorama first tries SSO and, only if that fails, falls back to the external service for authentication.
To support Kerberos SSO, your network requires:
A Kerberos infrastructure, including a key distribution center (KDC) with an authentication server (AS) and ticket-granting service (TGS). A Kerberos account for the firewall or Panorama that will authenticate users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the firewall or Panorama. The SSO process requires the keytab.
Configure Kerberos Single Sign-On
Create a Kerberos keytab. The keytab is a file that contains the principal name and password of the firewall, and is required for the SSO process. When you configure Kerberos in your Authentication Profile and Sequence, the firewall first checks for a Kerberos SSO hostname. If you provide a hostname, the firewall searches the keytabs for a service principal name that matches the hostname and uses only that keytab for decryption. If you do not provide a hostname, the firewall tries each keytab in the authentication sequence until it is able to successfully authenticate using Kerberos. Log in to the KDC and open a command prompt. Enter the following command, where <principal_name>, <password>, and <algorithm> are variables. The Kerberos principal name and password are of the firewall or Panorama, not the user. ktpass /princ < principal_name > /pass < password > /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <f ile_name >.keytab If the firewall is in FIPS/CC mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 . Otherwise, you can also use des3-cbc-sha1 or arcfour-hmac . To use an Advanced Encryption Standard (AES) algorithm, the functional level of the KDC must be Windows Server 2008 or later and you must enable AES encryption for the firewall or Panorama account. The algorithm in the keytab must match the algorithm in the service ticket that the TGS issues to clients. Your Kerberos administrator determines which algorithms the service tickets use.
Import the keytab into an authentication profile. Configure an Authentication Profile and Sequence: Enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is uppercase). Import the Kerberos Keytab that you created for the firewall or Panorama.
Assign the authentication profile to the administrator account or to the Captive Portal settings. Configure an administrator account. Configure Captive Portal.

Related Documentation