Configure Kerberos Server Authentication

You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or a Kerberos V5-compliant authentication server. This authentication method is interactive, requiring users to enter usernames and passwords.
To use a Kerberos server for authentication, the server must be accessible over an IPv4 address. IPv6 addresses are not supported.
  1. Add a Kerberos server profile.
    The profile defines how the firewall connects to the Kerberos server.
    1. Select DeviceServer ProfilesKerberos and Add a server profile.
    2. Enter a Profile Name to identify the server profile.
    3. Add each server and specify a Name (to identify the server), IPv4 address or FQDN of the Kerberos Server, and optional Port number for communication with the server (default 88).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change in order for the new server address to take effect.
    4. Click OK to save your changes to the profile.
  2. Assign the server profile to an Configure an Authentication Profile and Sequence.
    The authentication profile defines authentication settings that are common to a set of users.
  3. Assign the authentication profile to the firewall application that requires authentication.
    • Administrative access to the web interface—Configure a Firewall Administrator Account and assign the authentication profile you configured.
    • End user access to services and applications—Assign the authentication profile you configured to an authentication enforcement object and assign the object to Authentication policy rules. For the full procedure to configure authentication for end users, see Configure Authentication Policy.
  4. Verify that the firewall can Test Authentication Server Connectivity to authenticate users.

Related Documentation