Kerberos is an authentication protocol that enables
a secure exchange of information between parties over an insecure
network using unique keys (called tickets) to identify the parties.
The firewall and Panorama support two types of Kerberos authentication
for administrators and end users:
Kerberos server authentication
—A Kerberos server
profile enables users to natively authenticate to an Active Directory
domain controller or a Kerberos V5-compliant authentication server.
This authentication method is interactive, requiring users to enter
usernames and passwords. For the configuration steps, see Configure
Kerberos Server Authentication.
Kerberos single sign-on (SSO)
—A network that supports
Kerberos V5 SSO prompts a user to log in only for initial access
to the network (such as logging in to Microsoft Windows). After
this initial login, the user can access any browser-based service
in the network (such as the firewall web interface) without having
to log in again until the SSO session expires. (Your Kerberos administrator
sets the duration of SSO sessions.) If you enable both Kerberos
SSO and another external authentication service (such as a TACACS+
server), the firewall first tries SSO and, only if that fails, falls
back to the external service for authentication. To support Kerberos
SSO, your network requires:
A Kerberos infrastructure,
including a key distribution center (KDC) with an authentication
server (AS) and ticket-granting service (TGS).
A Kerberos account for the firewall or Panorama that will
authenticate users. An account is required to create a Kerberos
keytab, which is a file that contains the principal name and hashed
password of the firewall or Panorama. The SSO process requires the keytab.