Configure Kerberos Single Sign-On

Palo Alto Networks firewalls and Panorama support Kerberos V5 single sign-on (SSO) to authenticate administrators to the web interface and end users to Captive Portal. With Kerberos SSO enabled, the user needs to log in only for initial access to your network (such as logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network (such as the firewall web interface) without having to log in again until the SSO session expires.
  1. Create a Kerberos keytab.
    The keytab is a file that contains the principal name and password of the firewall, and is required for the SSO process. When you configure Kerberos in your Authentication Profile and Sequence, the firewall first checks for a Kerberos SSO hostname. If you provide a hostname, the firewall searches the keytabs for a service principal name that matches the hostname and uses only that keytab for decryption. If you do not provide a hostname, the firewall tries each keytab in the authentication sequence until it is able to successfully authenticate using Kerberos.
    If the Kerberos SSO hostname is included in the request sent to the firewall, then the hostname must match the service principal name of the keytab; otherwise, the Kerberos authentication request is not sent.
    1. Create Kerberos account for the firewall. Refer to your Kerberos documentation for the steps.
    2. Log in to the KDC and open a command prompt.
    3. Enter the following command, where <principal_name>, <password>, and <algorithm> are variables.
      ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytab
      If the firewall is in FIPS/CC mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96. Otherwise, you can also use des3-cbc-sha1 or arcfour-hmac. To use an Advanced Encryption Standard (AES) algorithm, the functional level of the KDC must be Windows Server 2008 or later and you must enable AES encryption for the firewall account.
      The algorithm in the keytab must match the algorithm in the service ticket that the TGS issues to clients. Your Kerberos administrator determines which algorithms the service tickets use.
  2. Configure an Authentication Profile and Sequence to define Kerberos settings and other authentication options that are common to a set of users.
    • Enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is uppercase).
    • Import the Kerberos Keytab that you created for the firewall.
  3. Assign the authentication profile to the firewall application that requires authentication.
    • Administrative access to the web interface—Configure a Firewall Administrator Account and assign the authentication profile you configured.
    • End user access to services and applications—Assign the authentication profile you configured to an authentication enforcement object. When configuring the object, set the Authentication Method to browser-challenge. Assign the object to Authentication policy rules. For the full procedure to configure authentication for end users, see Configure Authentication Policy.

Related Documentation