Configure Kerberos Single Sign-On
Palo Alto Networks firewalls and Panorama support Kerberos V5 single sign-on (SSO) to authenticate administrators to the web interface and end users to Captive Portal. With Kerberos SSO enabled, the user needs to log in only for initial access to your network (such as logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network (such as the firewall web interface) without having to log in again until the SSO session expires.
- Create a Kerberos
keytab.The keytab is a file that contains the principal name and password of the firewall, and is required for the SSO process. When you configure Kerberos in your Authentication Profile and Sequence, the firewall first checks for a Kerberos SSO hostname. If you provide a hostname, the firewall searches the keytabs for a service principal name that matches the hostname and uses only that keytab for decryption. If you do not provide a hostname, the firewall tries each keytab in the authentication sequence until it is able to successfully authenticate using Kerberos.If the Kerberos SSO hostname is included in the request sent to the firewall, then the hostname must match the service principal name of the keytab; otherwise, the Kerberos authentication request is not sent.
- Create Kerberos account for the firewall. Refer to your Kerberos documentation for the steps.
- Log in to the KDC and open a command prompt.
- Enter the following command, where <principal_name>, <password>,
and <algorithm> are variables.
ktpass /princ <principal_name> /pass <password> /crypto <algorithm> /ptype KRB5_NT_PRINCIPAL /out <file_name>.keytabIf the firewall is in FIPS/CC mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96. Otherwise, you can also use des3-cbc-sha1 or arcfour-hmac. To use an Advanced Encryption Standard (AES) algorithm, the functional level of the KDC must be Windows Server 2008 or later and you must enable AES encryption for the firewall account.The algorithm in the keytab must match the algorithm in the service ticket that the TGS issues to clients. Your Kerberos administrator determines which algorithms the service tickets use.
an Authentication Profile and Sequence to define Kerberos
settings and other authentication options that are common to a set
- Enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is uppercase).
- Import the Kerberos Keytab that you created for the firewall.
- Assign the authentication profile to the firewall application
that requires authentication.
- Administrative access to the web interface—Configure a Firewall Administrator Account and assign the authentication profile you configured.
- End user access to services and applications—Assign the authentication profile you configured to an authentication enforcement object. When configuring the object, set the Authentication Method to browser-challenge. Assign the object to Authentication policy rules. For the full procedure to configure authentication for end users, see Configure Authentication Policy.
Kerberos Kerberos is an authentication protocol that enables a secure exchange of information between parties over an insecure network using unique keys (called tickets) to ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Set Up Kerberos Authentication
Set Up Kerberos Authentication Kerberos is a computer network authentication protocol that uses tickets to allow nodes that communicate over a non-secure network to prove ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Configure Local or External Authentication for Panorama Adm...
Configure Local or External Authentication for Panorama Administrators You can use an external authentication service or the service that is local to Panorama to authenticate ...
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Configure Kerberos Server Authentication
Configure Kerberos Server Authentication You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or ...