Palo Alto Networks Knowledgebase: User Authentication Fails with Secondary Kerberos Server in a Kerberos Server Profile

User Authentication Fails with Secondary Kerberos Server in a Kerberos Server Profile

Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM


Multiple Kerberos servers can be configured in a Kerberos Server Profile for user authentication. A secondary Kerberos server, for example, can be specified for redundancy in case of primary server outage.

Screen Shot 2015-02-03 at 11.21.54 AM.png



The Palo Alto Networks firewall only accesses the first Kerberos server. Authentication fails with the secondary Kerberos server during an outage of the first server.



Authentication to secondary Kerberos server fails with "timed out" response from the server.


Example of authd.log output:

Nov 21 16:42:30 Error: pan_auth_send_rcv_msg(pan_auth_msg.c:90): Timed out waiting for response from authd (0) (No such file or directory)

Nov 21 16:42:30 pan_auth_send_rcv_msg(pan_auth_msg.c:119): Debug : Received 0 bytes from authd

Nov 21 16:42:30 Error: pan_auth_authenticate_user_str(pan_auth_msg.c:569): Failed to authenticate user user001



It takes 4 seconds until the firewall authentication function queries the secondary Kerberos server. The default l3-service timeout is 3 seconds, which is shorter than the time needed to query the secondary server. Thus, the l3-service gives up before it receives a response from secondary Kerberos server.



Change l3-service timeout value with the commands below.

> configure

# set deviceconfig setting l3-service timeout <value>

# commit

The default for <value> is 3 and the range is from 3 to 30. Test authentication with a value of 5 and adjust as needed.


owner: tshimizu

  • Print
  • Copy Link

Choose Language