Kerberos Authentication for Explicit Proxy Deployments
Kerberos authentication is supported with
Prisma Access Innovation deployments starting with 3.2.1 Innovation.
Prisma
Access Mobile—Explicit Proxy deployments support Kerberos authentication.
If you have servers, IoT devices, or headless machines that cannot
authenticate using SAML, you can use Kerberos authentication instead.
If
your deployment uses both SAML and Kerberos for authentication,
you can configure both authentication types in a single Explicit
Proxy deployment. In this way, you can authenticate mobile users
with SAML while authenticating servers, IoT devices or headless
machines with Kerberos. Prisma Access Explicit Proxy processes the
authentication depending on the port used for the authentication
traffic:
- If the authentication traffic uses port 8080, Explicit Proxy uses SAML authentication.
- If the authentication traffic uses port 8081, Explicit Proxy uses Kerberos authentication.
If only one port is
configured, the port that is not configured uses the same authentication
profile as the configured port.
Kerberos SSO is available
only for services and applications that are internal to your Kerberos
environment. To enable SSO for external services and applications,
use SAML.
Requirements and Recommendations for Deploying Kerberos for
Explicit Proxy Deployments
Before you implement Kerberos in an Explicit
Proxy deployment, make sure that your Kerberos deployment has the
following requirements and prerequisites:
- Make sure that you have a Kerberos account that you can use for Prisma Access to authenticate servers or devices.An account is required to create a Kerberos keytab, which is a file that contains the principal name and encrypted Kerberos password.
- Make sure that the servers and endpoints are domain-joined, which allows users and machines to securely connect to their work domain using their work network credentials.
- When configuring user authentication and user mapping, use a format of userPrincipalName (UPN); other formats (such as samAccountName) as not supported.
- Unicode character usernames are not supported.
- Make sure that you forward Kerberos authentication traffic to port 8081 in the mobile users’ PAC file or in your proxy settings on the endpoint or servers.Explicit Proxy uses port 8081 for Kerberos authentication and port 8080 for SAML authentication.
- Make sure that your Kerberos administrator has the ability to create and export keytabs.
- Make sure that you have the egress IP addresses of the branch or campus location where your servers, IoT devices, or headless machines are located.You add these IP addresses to the list of addresses that are trusted by Explicit Proxy.
- Follow best practices for Kerberos user authentication and creation.It is the Kerberos account administrator’s responsibility to follow best practices to protect their Kerberos environment and prevent passwords from being compromised. Use the following best practices when creating the user accounts, password, and ServicePrincipalNames (SPNs).Kerberos User Account Creation Best Practices:
- Do not reuse admin user accounts.Create a unique account name for the Kerberos account to be used with Prisma Access Explicit Proxy.
- Do not share this account with any other service; use a dedicated user account for Prisma Access Explicit Proxy.
- Ensure that the user cannot change the password for the Kerberos account.
- When selecting Kerberos account options, deselectUse Kerberos DES encryption types for this accountandDo not require Kerberos preauthentication.
- Enable AES-128 and AES-256 bit encryption.
- Disable delegation for users.
- Deny the ability to log in to a remote desktop session.
- Do not enable remote control.
- Do not allow users to start programs at logon.
- You can specify users or user groups in the allow list of the Authentication profile you create to limit authentication to only the users or machines that have legitimate business needs.
SPN and Keytab Best Practices:- Make sure that the SPN is not associated with multiple user accounts, which could cause duplicate SPN failures.
- RC4-HMAC-NT uses a weak NTML hash. Follow your organization’s security policies and guidelines to include or exclude the RC5 cipher.
- The DES-CBC-CRC and DES-CBC-MD5 ciphers have been deprecated and are not supported by Prisma Access.
- Rotate the password for the SPN on a regular basis. Follow your organization’s security policies and guidelines for password rotation.
- Follow your organization’s practices for password complexity (for example, create the SPN passwords in a truly random fashion that are not human readable and guessable).
- If you change the password for the service user, or change any other attributes, update and re-generate the new keytab and upload it to Prisma Access.
- If you onboard a new PA region, you must generate a new keytab for that region, as shown in the following steps.
The following example output shows an account that was created using Kerberos best practices.PS C:\Users\Administrator>Get-ADUser example -Properties "*"AccountNotDelegated : True AllowReversiblePasswordEncryption : False CannotChangePassword : True CN : example Deleted : DoesNotRequirePreAuth : False Enabled : True GivenName : PrismaAccess EP Service User KerberosEncryptionType : {AES128, AES256} msDS-SupportedEncryptionTypes : 24 Name : example PasswordExpired : False PasswordNeverExpires : True PasswordNotRequired : False PrincipalsAllowedToDelegateToAccount : {} ProtectedFromAccidentalDeletion : True SamAccountName : example servicePrincipalName : {HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM} ServicePrincipalNames : {HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM, HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM} SmartcardLogonRequired : False TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False UserPrincipalName : HTTP/us-south-1.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM
Configure Kerberos Authentication for Explicit Proxy Deployments
Use the following workflow to configure Kerberos
authentication with an Explicit Proxy deployment.
- Get the FQDN, proxy FQDNs, and DNS CNAMEs that are required to set up your Kerberos authentication.Kerberos authentication uses the information retrieved from the Prisma Access API script to create and configure the Kerberos keytabs. The API script retrieves the following information:
- ep_geo_lb_fqdn—The Explicit Proxy DNS FQDN used in the Explicit Proxy network load balancer configuration. This FQDN is identical to the Explicit ProxyExplicit Proxy URLin the Prisma Access UI under .
- ep_geo_lb_cname—The DNS CNAME for the Explicit Proxy tenant.
- ep_regional_fqdn—The FQDNs used for the onboarded Explicit Proxy locations.Explicit Proxy gives each location a public IP address for the network load balancer; the ep_regional_fqdn is the FQDN associated with that IP address. If multiple locations share the same public IP address, those locations use the same regional FQDN.
- Go to Cloud Managed Prisma Access and select .
- Generate New API Key.You use this key as part of the API curl command.
- Create a .txt file and enter the following command options in the file:{ "serviceType": "swg_proxy", "location": "deployed", "addrType": "network_load_balancer" }
- Enter the following command to retrieve the required FQDNs to use Kerberos authentication:curl -X POST --data @option.txt -H header-api-key:Current-API-Key "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"Whereoption.txtis the .txt file you created in a previous step andCurrent-API-Keyis the Prisma Access API key.
- Make a note of the FQDNs.There is at least oneep_geo_lb_fqdn, oneep_geo_lb_cname, and oneep_regional_fqdnper onboarded location.
- Create a new user for the Prisma Access Explicit Proxy service in your organization’s Active Directory (AD) by entering the following command:New-ADUser -Name "USER_NAME" -GivenName "USER_GIVEN_NAME" -SamAccountName "USER_SAMACCOUNTNAME" -UserPrincipalName "USER_NAME@DNS_DOMAIN_NAME" -Path "X_500_PATH" –AccountPassword (ConvertTo-SecureString “PASSWORD” -AsPlainText -force) -Enabled $true -KerberosEncryptionType RC4,AES128,AES256Where:
- USER_NAMEis the name of the user object.
- USER_GIVEN_NAMEis the user’s given name.
- USER_SAMACCOUNTNAMEis the user’s Security Account Manager (SAM) name.
- USER_NAME@DNS_DOMAIN_NAMEis the user’s user principal name (UPN).
- X_500_PATHis the X.500 path of the OU or container where the new object is created (for example,DC=EXAMPLE,DC=COM.)
- PASSWORDis the password to use for the account.
The following CLI example has a user name ofexample, a SAM name ofexample, a given name ofPrismaAccess EP Service User, a UPN ofexample@exmp.com, a path ofDC=EXMP,DC=COM, and a password of Ex@mple123:New-ADUser -Name "example" -GivenName "PrismaAccess EP Service User" -SamAccountName "example" -UserPrincipalName "example@exmp.com" -Path "DC=EXMP,DC=COM" –AccountPassword (ConvertTo-SecureString “Ex@mple123” -AsPlainText -force) -Enabled $true -KerberosEncryptionType RC4,AES128,AES256The previous command specifies an encryption type of RC4, which uses a weak NTLM hash. Follow your organization’s security policies and guidelines to include or exclude RC4 in this command. - Enter the following command to prevent the password from expiring and to prevent it from being changed:Get-ADUserUSER_NAME|Set-ADUser -PasswordNeverExpires:$True -CannotChangePassword:$trueFollow your organization’s security policies and guidelines for password expiration and rotation policies.
- Enter the following command to display the newly-created user account:Get-ADUserUSER_NAME-property msDS-KeyVersionNumber
- Associate the SPNs and export keytab files to use with Kerberos authentication in your Windows AD.A keytab file allows Explicit Proxy to validate the Kerberos authentication tokens provided during the traffic flows from users, servers, IoT devices, or other headless machines. During the keytab file creation, Explicit Proxy requires that the values you retrieved using the API in Step 2 be associated as ServicePrincipalNames (SPNs) with the user account you created in Step 3.Use theep_geo_lb_fqdn,ep_geo_lb_cname, andep_regional_fqdnvalues. These values allow Explicit Proxy to authenticate traffic flows to either of those proxy domains.
- Generate and export a keytab using theep_geo_lb_fqdnvalue as the service principal name (SPN) by entering the following commands:ktpass -princ HTTP/ep_geo_lb_fqdn@REALM-mapuserDOMAIN\USER_NAME-ptype KRB5_NT_PRINCIPAL -crypto all -passPASSWORD-outKEYTAB_NAME_1.keytabWhere:
- ep_geo_lb_fqdnis theep_geo_lb_fqdnvalue returned from the Explicit Proxy API script.
- REALMis the realm (for example,EXMP.COM).In most cases, you enter the realm using uppercase letters.
- DOMAIN\USER_NAMEis the domain-level logon name (for example,EXMP\example).
- PASSWORDis the password to use for the keytab. This password does not have to match the user password, but must match the value you create for theep_geo_lb_cnameandep_regional_fqdnSPNs in the next steps.
- KEYTAB_NAME_1is the name of the keytab. The keytab name must be unique to this SPN.
Be sure to follow the best practices for creating SPNs and passwords.The following CLI example has anep_geo_lb_fqdnofexample.proxy.prismaaccess.com, aREALMofEXMP.COM, aDOMAIN\USER_NAMEofEXMP\example, aPASSWORDofEx@mple123, and an exported keytab name ofexmp1.keytab:ktpass -princ HTTP/example.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp1.keytab - Generate and export a keytab using theep_geo_lb_cnamevalue as the SPN by entering the following commands:ktpass -princ HTTP/ep_geo_lb_cname@REALM-mapuserDOMAIN\USER_NAME-ptype KRB5_NT_PRINCIPAL -crypto all -passPASSWORD-outKEYTAB_NAME_2.keytabWhere:
- ep_geo_lb_cnameis theep_geo_lb_cnamevalue returned from the Explicit Proxy API script.
- REALMis the realm for example,EXMP.COM
- DOMAIN\USER_NAMEis the domain-level logon name (for example,EXMP\example).
- PASSWORDis the password to use for the keytab. This password must match theep_geo_lb_fqdnandep_regional_fqdnSPN passwords.
- KEYTAB_NAME_2is the name of the keytab you want to export. This name should be different than the other SPN keytab names you create.
The following CLI example has anep_geo_lb_cnameofprisma-abcde12345.proxy.prismaaccess.com, aREALMofEXMP.COM, aDOMAIN\USER_NAMEofEXMP\example, aPASSWORDofEx@mple123, and an exported keytab name ofexmp2.keytab:ktpass -princ HTTP/prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp2.keytab - Generate and export a keytab using theep_regional_fqdnvalue as the SPN by entering the following commands:ktpass -princ HTTP/ep_regional_fqdn@REALM-mapuserDOMAIN\USER_NAME-ptype KRB5_NT_PRINCIPAL -crypto all -passPASSWORD-outKEYTAB_NAME_3.keytabWhere:
- ep_regional_fqdnis theep_regional_fqdnvalue returned from the Explicit Proxy API script.
- REALMis the realm (for example,EXMP.COM).
- DOMAIN\USER_NAMEis the domain-level logon name (for example,EXMP\example).
- PASSWORDis the password to use for the keytab. This password must match theep_geo_lb_fqdnandep_geo_lb_cnameSPN passwords.
- KEYTAB_NAME_3is the name of the keytab you want to export. This name should be different than the other SPN keytab names you create.
The following CLI example has anep_regional_fqdnofus-west-2.prisma-abcde12345.proxy.prismaaccess.com, aREALMofEXMP.COM, aDOMAIN\USER_NAMEofEXMP\example, aPASSWORDofEx@mple123, and an exported keytab name ofexmp3.keytab:ktpass -princ HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp3.keytab(Optional) If you have additional locations that use differentep_regional_fqdnvalues, and you want to create keytabs for those locations, generate and export one or more additional keytabs by repeating Step 6.c, using theep_regional_fqdnvalue for those locations.Create a unique keytab name for each uniqueep_regional_fqdn. For example, if theep_regional_fqdnfor another location isus-east-2.prisma-abcde12345.proxy.prismaaccess.com, enter the following sample CLI with a unique exported keytab file name:ktpass -princ HTTP/us-east-2.prisma-abcde12345.proxy.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out exmp4.keytab - Delete unsupported ciphers in the created keytabs by entering the followingktutilcommands in Ubuntu.The following system output provides examples for cleaning up various ciphers:slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (des-cbc-crc) 2 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (des-cbc-md5) 3 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (arcfour-hmac) 4 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (aes256-cts-hmac-sha1-96) 5 3 HTTP/us-west-2.prisma-abcde12345.proxy.prismaaccess.com@PANW.COM (aes128-cts-hmac-sha1-96)# display all keytabs, get the key entry numbers to remove DES-CBC-MD5 and DES-CBC-CRC. # Also, enable or disable RC4-HMAC based on your organization’s policy. for i in `ls keytab_name*.keytab`; do echo $i; klist -Kte -k $i; done # cleanup unsupported ciphers # entry #1 is typically des-cbc-crc # entry #2 is typically des-cbc-md5 # entry #3 is typically arcfour-hmac ktutil rktKEYTAB_NAME_1.keytab delent 2 delent 1 wkt new1.keytab quit ktutil rktKEYTAB_NAME_2.keytab delent 2 delent 1 wkt new2.keytab quit ktutil rktKEYTAB_NAME_3.keytab delent 2 delent 1 wkt new3.keytab quitWhereKEYTAB_NAME_1.keytab,KEYTAB_NAME_2.keytab, andKEYTAB_NAME_3.keytab are the keytabs you created in the previous step.
- (Optional) If you created more keytabs for other regions, remove unsupported ciphers on those keytabs by entering the previousktutilcommand, substitutingKEYTAB_NAME_1.keytab with the keytab name you used for the region or regions and specifying a different output file (for example,new4.keytab,new5.keytab, and so on).
- Merge the keytabs you created by entering the followingktutilcommand, where new1.keytab, new2.keytab, and new3.keytab are the keytabs you created in the previous step, Be sure to include all the region-specific keytabs in this command:ktutil rkt new1.keytab rkt new2.keytab rkt new3.keytab # if you created any additional region-specific keytab files, add them here. wkt papxv1.keytab quitWhen complete, you use the keytab you created (papxv1.keytabin this example) as the keytab to use with Explicit Proxy.
- (Optional) If you need to add more regions to the keytab file you created later, use the Prisma Access API script to get theep_regional_fqdnfor that region, then repeat Step 6.c to generate and export a keytab for the newly-added region.The following command is a sample, where:
- us-south-1.prixma-abcde12345.prismaaccess.com@EXMP.COMis theep_regional_fqdnandrealm.
- EXMP\exampleis the domain-level logon name.
- Ex@mple123is the password.
- KEYTAB_NAME_5.keytabis the name of the newly-created regional keytab file.
- new5.keytabis the name of the keytab file with the ciphers removed.
- papxv1.keytabandnew5.keytabare the keytabs you are combining to create the final keytab,papxv2.keytab.
# associate new ep_regional_fqdn as SPN ktpass -princ HTTP/us-south-1.prixma-abcde12345.prismaaccess.com@EXMP.COM -mapuser EXMP\example -ptype KRB5_NT_PRINCIPAL -crypto all -pass Ex@mple123 -out KEYTAB_NAME_5.keytab # repeat cleanup and merge of KEYTAB_NAME_5.keytab to generate new5.keytab, and merge it with papxv1.keytab. ktutil rkt KEYTAB_NAME_5.keytab delent 2 delent 1 wkt new5.keytab quit ktutil rkt papxv1.keytab rkt new5.keytab wkt papxv2.keytab quitWhen complete, you use the keytab you created (papxv2.keytab in the previous example) as the keytab to use with Explicit Proxy. Update the authentication profile with this new keytab. - Set up a Kerberos authentication profile.The profile defines how Explicit Proxy connects to the Kerberos server for mobile user authentication.
- Go to , set the scope toExplicit Proxy, andAdd Profile.
- Select theAuthentication Method:Kerberos.
- Enter theProfile Nameto identify the server profile.The authentication profile specifies the server profile that the portal or gateways use when they authenticate users.
- Enter theKerberos Realm(up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXMP.COM has the realm EXMP.COM.
- During authentication, the endpoint first attempts to establish SSO using the keytab.
- Add theUsers Allowed to Authenticatewith this profile.
- To select all users,Match all.
- If you’re using the Cloud Identity Engine to populate the list of users, select the users from a list, or selectallto allow all users to authenticate.
- To add local users that can log in using Kerberos,Add Local User, add theName, and create aPassword.
- Saveyour changes.
- Associate the authentication profile with an authentication method.
- Go to .
- Select theConnection Name.
- Select anAuthentication MethodofKerberosand select the KerberosProfileyou created.
- Saveyour changes.
- Add the egress IP addresses of the branch or campus location where your users, servers, IoT devices, or headless machines are located to the list of trusted Explicit Proxy addresses.
- Go to .
- Add Address(one or more) to theTrusted Source Addressfield.If you do not add the egress endpoint IP addresses to the trusted list, Explicit Proxy forces users and machines to authenticate with SAML as well as Kerberos.Enter a maximum of 100,000 IP addresses.
- Saveyour changes.
- Push Configto save your configuration changes.
- Verify that Kerberos authentication is working with Prisma Access by viewing the traffic and authentication logs.
- (Decrypted traffic only) Go to and check that the Kerberos authentication is working.Decrypted traffic displays the user name in the traffic logs.
- (Undecrypted traffic only) Go to and check that Kerberos authentication is working correctly.The following fields provide more information about the authentication event:
- Object—The website the user was attempting to access before being redirected to Kerberos to authenticate.
- Auth Event—The status of the authentication attempt.Authentication Successindicates that the authentication event was successful;Authentication Failureindicates that the attempt failed.
- Authentication Description—If the authentication attempt failed, additional information about the type of failure.For example,user not allowedindicates that the user or group is not allowed to use Kerberos to authenticate, possible because it was not added to theAllow Listin the authentication profile.
