Configure Kerberos Server Authentication
You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or a Kerberos V5-compliant authentication server. This authentication method is interactive, requiring users to enter usernames and passwords.
To use a Kerberos server for authentication, the server must be accessible over an IPv4 address. IPv6 addresses are not supported.
- Add a Kerberos
server profile.The profile defines how the firewall connects to the Kerberos server.
- Select DeviceServer ProfilesKerberos and Add a server profile.
- Enter a Profile Name to identify the server profile.
- Add each server and specify
a Name (to identify the server), IPv4 address
or FQDN of the Kerberos Server, and optional Port number
for communication with the server (default 88).If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change in order for the new server address to take effect.
- Click OK to save your changes to the profile.
- Assign the server profile to an Configure
an Authentication Profile and Sequence.The authentication profile defines authentication settings that are common to a set of users.
- Assign the authentication profile to the firewall application that
- Administrative access to the web interface—Configure a Firewall Administrator Account and assign the authentication profile you configured.
- End user access to services and applications—Assign the authentication profile you configured to an authentication enforcement object and assign the object to Authentication policy rules. For the full procedure to configure authentication for end users, see Configure Authentication Policy.
- Verify that the firewall can Test Authentication Server Connectivity to authenticate users.
Set Up Kerberos Authentication
Set Up Kerberos Authentication Kerberos is a computer network authentication protocol that uses tickets to allow nodes that communicate over a non-secure network to prove ...
Device > Server Profiles > Kerberos
Device > Server Profiles > Kerberos Select Device Server Profiles Kerberos or Panorama Server Profiles Kerberos to configure a server profile that enables users to ...
Kerberos Kerberos is an authentication protocol that enables a secure exchange of information between parties over an insecure network using unique keys (called tickets) to ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Configure Kerberos Single Sign-On
Configure Kerberos Single Sign-On Palo Alto Networks firewalls and Panorama support Kerberos V5 single sign-on (SSO) to authenticate administrators to the web interface and end ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Configure Local or External Authentication for Panorama Adm...
Configure Local or External Authentication for Panorama Administrators You can use an external authentication service or the service that is local to Panorama to authenticate ...
Kerberos Authentication Support for macOS
The GlobalProtect app for macOS endpoints (10.10 and later releases) now supports Kerberos V5 SSO. ...