Palo Alto Networks firewalls and Panorama
support Kerberos V5 single sign-on (SSO) to authenticate administrators
to the web interface and end users to Captive Portal. A network
that supports Kerberos SSO prompts a user to log in only for initial
access to the network (for example, logging in to Microsoft Windows).
After this initial login, the user can access any browser-based
service in the network (for example, the firewall web interface)
without having to log in again until the SSO session expires. (Your
Kerberos administrator sets the duration of SSO sessions.) If you
enable both Kerberos SSO and external authentication services (for
example, a RADIUS server), the firewall or Panorama first tries
SSO and, only if that fails, falls back to the external service
To support Kerberos SSO, your network
A Kerberos infrastructure,
including a key distribution center (KDC) with an authentication
server (AS) and ticket-granting service (TGS).
A Kerberos account for the firewall or Panorama that will
authenticate users. An account is required to create a Kerberos
keytab, which is a file that contains the principal name and hashed
password of the firewall or Panorama. The SSO process requires the
Create a Kerberos
The keytab is a file that contains the principal name and
password of the firewall, and is required for the SSO process. When
you configure Kerberos in your Authentication Profile and Sequence,
the firewall first checks for a Kerberos SSO hostname. If you provide
a hostname, the firewall searches the keytabs for a service principal
name that matches the hostname and uses only that keytab for decryption. If
you do not provide a hostname, the firewall tries each keytab in
the authentication sequence until it is able to successfully authenticate
If the Kerberos SSO hostname is included
in the request sent to the firewall, then the hostname must match
the service principal name of the keytab; otherwise, the Kerberos authentication
request is not sent.
Log in to the KDC and open a command prompt.
Enter the following command, where
are variables. The Kerberos principal
name and password are of the firewall or Panorama, not the user.
If the firewall is in FIPS/CC mode, the
algorithm must be
Otherwise, you can also use
To use an Advanced Encryption Standard (AES) algorithm, the functional
level of the KDC must be Windows Server 2008 or later and you must
enable AES encryption for the firewall or Panorama account.
algorithm in the keytab must match the algorithm in the service
ticket that the TGS issues to clients. Your Kerberos administrator
determines which algorithms the service tickets use.