How to Configure Kerberos Authentication in PAN-OS 8.1

How to Configure Kerberos Authentication in PAN-OS 8.1

42207
Created On 09/25/18 17:41 PM - Last Modified 07/27/23 18:57 PM


Environment


  • PAN-OS 8.1
  • Kerberos Authentication

Resolution


*For More Up To Date information see docs below
Set Up Kerberos Authentication PAN-OS 9.1
Configure Kerberos Server Authentication PAN-OS 10.2 


Details

Configuring a Kerberos server allows users to authenticate natively to a domain controller. When the Kerberos settings are configured, Kerberos becomes available as an option when defining authentication profiles. Recommendations for configuring Kerberos are provided below:

 

DNS Entries

If using Active Directory, it is easiest to use the AD DNS server as the PAN firewall DNS server. DNS entries already exist on this server that are needed for Kerberos authentication. If this option is not possible, make sure the DNS server that the PAN is using has Service Location(SRV) DNS entries for _kerberos._tcp and _kerberos._udp.

 

As an example, if there is an Active Directory server named w2k3.pantac2.org, it will also need service location (SRV) entries for _kerberos._tcp.pantac2.org and _kerberos._udp.pantac2.org.

Below is an example from a linux server running the Bind9 DNS server:

 

srvce.prot.name  ttl  class   rr  pri  weight port target

     w2k3                 IN      A                    10.30.14.132

_kerberos._tcp        IN      SRV   0  100    88   w2k3

_kerberos._udp       IN      SRV   0  100    88   w2k3

 

NTP Server

The time on both the Palo Alto Network device and the Kerberos server need to be synchronized within 5 minutes of each other. This is a security feature built into Kerberos. Both the device and the AD server should be configured to use a NTP server.

 

Device Configuration

Create the Kerberos Server profile. > Device Tab> Server Profiles > Kerberos:

 

Enter the name of the profile. For the user account name user@pantac2.org, the Realm (up to 127 characters) is the FQDN,  “pantac2.org”. Enter the Domain for the user account (up to 63 characters).which in our example is "pantac2". For each server, click add and enter the Server name. Enter the server FQDN under Host, and enter an optional port number for communication with the server.

doc-1762-1.png

 

Create an Auth Profile >Device tab > Authentication Profile > New. Select Authentication “Kerberos” and be sure to select the Kerberos server configured. An example is shown below:

doc-1762-2.png

 

This Auth Profile can be used for SSL VPN, Captive Portal or Administrator logins. The above Auth profile was configured to allow all authentication requests to reach the AD server. Customizing the Auth Profile is possible by using AD groups to determine which users can send an authentication request to the AD server.

 

owner: rnitz
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClI0CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language