What are the client trust settings required to change the redirect URL for captive portal with Kerberos SSO?

What are the client trust settings required to change the redirect URL for captive portal with Kerberos SSO?

3546
Created On 11/10/24 20:04 PM - Last Modified 04/04/25 20:07 PM


Question


What additional settings are required to change the redirect URL for the captive portal with Kerberos?

Environment


  • Palo Alto Firewalls
  • Windows Server
  • Kerberos SSO Authentication

Answer


  1. To change the redirect URL for a Palo Alto captive portal, navigate to Device > User Identification > Authentication Portal Settings.

  2. Within the settings, modify the "Redirect Host" field to the desired URL, ensuring it matches the hostname used in your certificate's Common Name.
    redirecthost.png 

        Here are the additional changes requested when using a captive portal with Kerberos SSO :

  1. Add the new redirect URL to the sites within the Intranet and Trusted sites zones. For security reasons, Edge only allows Kerberos delegation to sites within the Intranet and Trusted Sites zones.
    trusted_sites.png 

  2. Add the new URL to the following two locations through a group policy update: --
    1. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\AuthServerAllowList
    2. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AuthServerAllowList 

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERWCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language