Kerberos Authentication Support for macOS

The GlobalProtect app for macOS endpoints (10.10 and later releases) now supports Kerberos V5 SSO.
Software Support
: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.0 and later releases
OS Support
: macOS 10.10 and later releases
The GlobalProtect™ app for Mac endpoints now supports Kerberos V5 single sign-on (SSO) for GlobalProtect portal and gateway authentication. Kerberos SSO maintains a seamless logon experience by providing accurate User-ID™ information without user interaction. Networks that support Kerberos SSO require end users to log in only during initial network access. After the initial login, end users can access any Kerberos-enabled service in the network (such as webmail) without having to log in again until the SSO session expires (the SSO session duration is established by the Kerberos administrator). This authentication method helps identify users for user and HIP policy enforcement.
If you enable both Kerberos SSO and an external authentication service (such as RADIUS), GlobalProtect attempts SSO first. You can configure GlobalProtect to fall back to an external authentication service when SSO fails or you can configure GlobalProtect to use only Kerberos SSO for authentication.
In this implementation, the GlobalProtect portal and gateway act as Kerberos service principals and the GlobalProtect app acts as a user principal that authenticates end users with a Kerberos service ticket from the Key Distribution Center (KDC).
The following items must be in place for the GlobalProtect app for macOS endpoints to support Kerberos SSO:
  • A Kerberos infrastructure, which includes a KDC with an authentication server (AS) and a ticket-granting service (TGS).
    GlobalProtect supports the following KDCs:
    • Microsoft Active Directory on Windows Server 2008 R2
    • Microsoft Active Directory on Windows Server 2012
    • MIT Kerberos V5
    The KDC must be reachable from the endpoint on which the Globalprotect app is running. In most instances, the KDC is reachable only from inside the enterprise network, which means the GlobalProtect app can use Kerberos authentication only when the endpoint is internal. However, if the KDC is reachable from outside the enterprise network (from the Internet), the GlobalProtect app can use Kerberos authentication when the endpoint is external.
    If the user certificate store contains at least one certificate that is issued by the same CA as the certificate used for pre-logon tunnel establishment, you can also use Kerberos authentication with pre-logon to enable the GlobalProtect app to use Kerberos authentication when the endpoint is external.
    When an end user attempts to access protected network resources using Kerberos authentication, the AS grants the user a Ticket to Get Tickets (TGT), which is a service request used to generate service tickets from the TGS. The service ticket is then used to authenticate the end user and establish a service session.
  • A Kerberos service account for each GlobalProtect portal and gateway.
    Service accounts are required for creating Kerberos keytabs, which are files that contain the principal name and password of each GlobalProtect portal or gateway.
  • PAN-OS 8.0 or a later release.
  • macOS version 10.10 or a later release.
  1. Create a Kerberos keytab file.
    1. Log in to the KDC using your Kerberos service account credentials.
    2. Open a command prompt and then enter the following command:
      ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytab
      The
      <principal_name>
      and
      <password>
      are the principal name and password of the GlobalProtect portal or gateway. The
      <algorithm>
      must match the algorithm in the service ticket issued by the TGS, which is determined by the Kerberos administrator. If the GlobalProtect portal or gateway is running in FIPS or CC mode, the algorithm must be
      aes128-cts-hmac-sha1-96
      or
      aes256-cts-hmac-sha1-96
      . If the portal or gateway is not running in FIPS or CC mode, you can also use
      des3-cbc-sha1
      or
      arcfour-hmac
      .
  2. Create a server profile for Kerberos authentication.
  3. Import the Kerberos keytab file to an authentication profile.
    1. Select
      Device
      Authentication Profile
      .
    2. Select an existing authentication profile or
      Add
      a new one.
    3. In the
      Single Sign-On
      area, enter the
      Kerberos Realm
      (up to 127 characters), which is the domain to which the end user belongs. For example, a user with the account name user@EXAMPLE.LOCAL belongs to the EXAMPLE.LOCAL realm.
    4. Import
      a
      Kerberos Keytab
      file to the authentication profile.
      When the Import Keytab dialog opens,
      Browse
      to and select the keytab file, and then click
      OK
      .
    5. Click
      OK
      to save your changes.
  4. Assign the authentication profile to an internal gateway. If the Kerberos authentication infrastructure is deployed in an external gateway, such as a DMZ, you can also assign the authentication profile to an external gateway.
    1. Select
      Network
      GlobalProtect
      Gateways
      to modify an existing gateway or
      Add
      a new one.
    2. Select an existing
      SSL/TLS Service Profile
      for securing the gateway, or
      Add
      a new service profile (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      Authentication
      ).
    3. Add
      a
      Client Authentication
      configuration (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      Authentication
      ), and then configure the following settings:
      • Name
        —Name of the client authentication configuration.
      • OS
        —Operating systems on which the gateway can be accessed.
      • Authentication Profile
        —Authentication profile to which your Kerberos keytab file was imported.
      • (
        Optional
        )
        Username Label
        —Custom username label for GlobalProtect gateway login.
      • (
        Optional
        )
        Password Label
        —Custom password label for GlobalProtect gateway login.
      • (
        Optional
        )
        Authentication Message
        —Message that is displayed when end users authenticate to the gateway.
    4. Click
      OK
      to save your changes.
  5. Assign the authentication profile to the GlobalProtect portal.
    1. Select
      Network
      GlobalProtect
      Portals
      .
    2. Select an existing portal or
      Add
      a new one.
    3. Select an existing
      SSL/TLS Service Profile
      for securing the portal, or
      Add
      a new service profile (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Authentication
      ).
    4. Add
      a
      Client Authentication
      configuration (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Authentication
      ), and then configure the following settings:
      • Name
        —Name of the client authentication configuration.
      • OS
        —Operating systems on which the portal can be accessed.
      • Authentication Profile
        —Authentication profile to which your Kerberos keytab file is imported.
      • (
        Optional
        )
        Username Label
        —Custom username label for GlobalProtect portal login.
      • (
        Optional
        )
        Password Label
        —Custom password label for GlobalProtect portal login.
      • (
        Optional
        )
        Authentication Message
        —Message that is displayed when end users log in to the portal.
    5. Click
      OK
      to save your changes.
  6. Configure the GlobalProtect app behavior for Kerberos authentication failure.
    1. Select
      Network
      GlobalProtect
      Portals
      .
    2. Select a portal configuration.
    3. Select the agent configuration that you want to modify, or
      Add
      a new one (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Agent
      ).
    4. In the
      App Configurations
      area (
      Network
      GlobalProtect
      Portals
      <portal-config>
      Agent
      <agent-config>
      App
      ), select one of the following options for
      Use Default Authentication on Kerberos Authentication Failure
      :
      • Yes
        —Enables authentication to fall back so that when Kerberos authentication fails, GlobalProtect authenticates users through the default authentication method.
      • No
        —GlobalProtect can use only Kerberos to authenticate users.
    5. Click
      OK
      to save your changes.
    6. Click
      OK
      to complete your configuration.
  7. Commit
    the configuration.

Recommended For You