Kerberos and service account configuration for Web Proxy in AD

Kerberos and service account configuration for Web Proxy in AD

356
Created On 05/29/23 21:36 PM - Last Modified 11/03/25 21:30 PM


Objective


The purpose of this article is to provide the steps required to configure Kerberos in AD for Web proxy setup

Environment


  • Pan-OS 11 and above
  •  PA-3400 and PA-1400
  • VM series 

Procedure


Kerberos and service account configuration for Web Proxy in AD.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* m7 is the username created for kerberos in the windows AD server



* Right click on the user m7 > property > account > Change the user logon name to HTTP/<any name>.<domain>
Here “pxy” is the name and “pantac-88-151.local” is the domain name

* in account options, check the “this account supports kerberos ASE 256 bit encryption”



* Adding dns entry for the user account name (pxy.pantac-88-151.local) just configured above.

open dns manager > Forward lookup zones > pantac-88-151.local (domain of the AD) > Rt click > new host (A or AAAA) > add the name (pxy here) and IP (192.168.1.1).

Where the IP (192.168.1.1) is used as the trusted interface IP(lan) in the firewall. Same IP is used as web proxy IP



Firewall interface configuration


Web proxy settings




* Set the principal name as HTTP/<FQDN> for the user m7
setspn -s HTTP/FQDN <accountname>
Eg: setspn -s HTTP/pxy.pantac-88-151.local m7




To check
setspn -l <accountname>
Eg:  setspn -l m7




* Generate keytabs using the below command

ktpass /out <filename.keytab> /princ HTTP/<FQDN>@<REALM> /mapuser
<username> /pass <password> /crypto AES256-SHA1 /ptype
KRB5_NT_PRINCIPAL

Where the REALM should be in capital letters. Here the REALM is PANTAC-88-151.LOCAL



As you can see the above command is run at c:\users\administrator so the keytab (here abc.keytab) will be generated at the same location.

Open c drive > users > administrator > and copy the keytab and paste in our local PC/laptop



AD server/kerberos IP is 192.168.1.5


* Need to configure Kerberos profile in the firewall
Device > server profile > Kerberos > Give a profile name > add > give the kerberos server IP/AD (here 192.168.1.5 )and port as 88



* create an authentication profile in firewall
Device > authentication Profile > add > give name > Authentication type: Kerberos
server profile: name of server profile we just created in the above step
kerberos Realm: give the realm we created in the AD

Kerberos Keytab: click import and browse to the location where we copied the keytab file


After clicking ok the output will look like the below screenshot



The client PC should be the part of the same domain as of the AD(here pantac-88-151.local)
Login to the client pc using the account we created for kerberos, here it is m7
ie, login to the client pc with user m7@pantac-88-151.local


* set the dns server as AD server IP (192.168.1.5) in client PC



*open proxy in the client PC settings > manual proxy setup > enable “use a proxy server”
Address: http://<fqdn> and port 8080
eg: http://pxy.pantac-88-151.local this will be resolved to 192.168.1.1

 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bpo2CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail