You can configure the firewall to first try Kerberos single sign-on (SSO) authentication and, if that fails, fall back to External service or Local database authentication.
Configure Kerberos SSO and External or Local Authentication for Administrators
Configure a Kerberos keytab for the firewall. Required for Kerberos SSO authentication. Create a Kerberos keytab. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the firewall.
Configure a local database or external server profile. Required for local database or external authentication. Local database authentication—Perform the following tasks: Configure the user account. ( Optional ) Configure a user group. External authentication—Perform one of the following tasks: Configure a RADIUS Server Profile. Configure a TACACS+ Server Profile. Configure an LDAP Server Profile. Configure a Kerberos Server Profile.
Configure an authentication profile. If your users are in multiple Kerberos realms, create an authentication profile for each realm and assign all the profiles to an authentication sequence. You can then assign the same authentication sequence to all user accounts ( Step 4). Configure an Authentication Profile and Sequence.
Configure an administrator account. Configure an Administrative Account. For local database authentication, specify the Name of the user you defined in Step 2. Assign the Authentication Profile or sequence and the Admin Role Profile that you just created.

Related Documentation