Configure Kerberos Single Sign-On
Palo Alto Networks firewalls and Panorama support Kerberos V5 single sign-on (SSO) to authenticate administrators to the web interface and end users to Captive Portal. A network that supports Kerberos SSO prompts a user to log in only for initial access to the network (for example, logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network (for example, the firewall web interface) without having to log in again until the SSO session expires. (Your Kerberos administrator sets the duration of SSO sessions.) If you enable both Kerberos SSO and external authentication services (for example, a RADIUS server), the firewall or Panorama first tries SSO and, only if that fails, falls back to the external service for authentication.
To support Kerberos SSO, your network requires:
- A Kerberos infrastructure, including a key distribution center (KDC) with an authentication server (AS) and ticket-granting service (TGS).
- A Kerberos account for the firewall or Panorama that will authenticate users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the firewall or Panorama. The SSO process requires the keytab.
- Create a Kerberos keytab.The keytab is a file that contains the principal name and password of the firewall, and is required for the SSO process. When you configure Kerberos in your Authentication Profile and Sequence, the firewall first checks for a Kerberos SSO hostname. If you provide a hostname, the firewall searches the keytabs for a service principal name that matches the hostname and uses only that keytab for decryption. If you do not provide a hostname, the firewall tries each keytab in the authentication sequence until it is able to successfully authenticate using Kerberos.If the Kerberos SSO hostname is included in the request sent to the firewall, then the hostname must match the service principal name of the keytab; otherwise, the Kerberos authentication request is not sent.
- Log in to the KDC and open a command prompt.
- Enter the following command, where<principal_name>,<password>, and<algorithm>are variables. The Kerberos principal name and password are of the firewall or Panorama, not the user.ktpass /princ<principal_name>/pass<password>/crypto<algorithm>/ptype KRB5_NT_PRINCIPAL /out<file_name>.keytabIf the firewall is in FIPS/CC mode, the algorithm must beaes128-cts-hmac-sha1-96oraes256-cts-hmac-sha1-96. Otherwise, you can also usedes3-cbc-sha1orarcfour-hmac. To use an Advanced Encryption Standard (AES) algorithm, the functional level of the KDC must be Windows Server 2008 or later and you must enable AES encryption for the firewall or Panorama account.The algorithm in the keytab must match the algorithm in the service ticket that the TGS issues to clients. Your Kerberos administrator determines which algorithms the service tickets use.
- Import the keytab into an authentication profile.
- Enter theKerberos Realm(usually the DNS domain of the users, except that the realm is uppercase).
- ImporttheKerberos Keytabthat you created for the firewall or Panorama.