Palo Alto Networks Knowledgebase: User Authentication Fails with Secondary Kerberos Server in a Kerberos Server Profile
User Authentication Fails with Secondary Kerberos Server in a Kerberos Server Profile
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Multiple Kerberos servers can be configured in a Kerberos Server Profile for user authentication. A secondary Kerberos server, for example, can be specified for redundancy in case of primary server outage.
The Palo Alto Networks firewall only accesses the first Kerberos server. Authentication fails with the secondary Kerberos server during an outage of the first server.
Authentication to secondary Kerberos server fails with "timed out" response from the server.
Example of authd.log output:
Nov 21 16:42:30 Error: pan_auth_send_rcv_msg(pan_auth_msg.c:90): Timed out waiting for response from authd (0) (No such file or directory)
Nov 21 16:42:30 pan_auth_send_rcv_msg(pan_auth_msg.c:119): Debug : Received 0 bytes from authd
Nov 21 16:42:30 Error: pan_auth_authenticate_user_str(pan_auth_msg.c:569): Failed to authenticate user user001
It takes 4 seconds until the firewall authentication function queries the secondary Kerberos server. The default l3-service timeout is 3 seconds, which is shorter than the time needed to query the secondary server. Thus, the l3-service gives up before it receives a response from secondary Kerberos server.
Change l3-service timeout value with the commands below.
# set deviceconfig setting l3-service timeout <value>
The default for <value> is 3 and the range is from 3 to 30. Test authentication with a value of 5 and adjust as needed.