Kerberos error "-1765328228" observed after configuring with WinRM-HTTP or WinRM-HTTPS for Agentless User-ID

16240

Created On 01/25/23 18:22 PM - Last Modified 04/10/23 19:35 PM

Kerberos

User-ID

PAN-OS

Symptom

Kerberos error "-1765328228" is observed after configuring with WinRM-HTTP or WinRM-HTTPS for Agentless User-ID

Details:

Kerberos server profile is configured to use the port 5985 when Agentless User-ID has WinRM-HTTP protocol enabled

Kerberos server profile is added to the Agentless User-ID configuration (GUI: Device > User Identification > > User Mapping )

After committing the changes, we see Connection failed in the Agentless User-ID configuration and below log entries are generated in the useridd.log (less mp-log useridd.log)

2022-08-28 15:59:52.139 -0700 Error:  pan_user_id_krb5_init_ticket(pan_user_id_win.c:1982): failed to get krb5 tgt ticket with error -1765328228.
2022-08-28 15:59:52.139 -0700 Error:  pan_user_id_krb5_init_ticket(pan_user_id_win.c:1987): krb5: accout=svc-panuserid, domain=PLANOLAB.COM, principal=svc-panuserid@PLANOLAB.COM, cached file=/opt/pancfg/.userid/krb5_cache_1_lab101.planolab.com_1661450486.
2022-08-28 15:59:52.139 -0700 Error:  pan_user_id_krb5_init_ticket(pan_user_id_win.c:2013): krb5 error -1765328228: Cannot contact any KDC for realm 'PLANOLAB.COM'.
2022-08-28 15:59:52.139 -0700 Warning:  pan_user_id_krb5_set(pan_user_id_win.c:2101): failed to acquire krb5 tgt ticket on vsys 1 for server lab101.planolab.com.
2022-08-28 15:59:52.139 -0700 Error:  pan_user_id_winrm_query(pan_user_id_win.c:2628): failed to prepare winrm connection in vsys 1, server=lab101.planolab.com.
2022-08-28 15:59:53.238 -0700 krb5 config:
[libdefaults]
         default_realm = PLANOLAB.COM
         dns_lookup_realm = true
         dns_lookup_kdc = true
         rdns = false
         dns_canonicalize_hostname = false
         default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
         default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
         forwardable = true
[realms]
         PLANOLAB.COM = {
                 kdc = lab101.planolab.com:5985
         }

Similar log entries will be generated when Kerberos server profile is configured to use the port 5986 when Agentless User-ID has WinRM-HTTPS protocol enabled
This particular error message failed to get krb5 tgt ticket with error -1765328228 is generated when Kerberos server profile has the incorrect port configured

Environment

Palo Alto Firewall
Supported PAN-OS
Agentless User-ID
WinRM-HTTP or WinRM-HTTPS protocol
Kerberos Authentication Profile

Cause

When either WinRM-HTTP or WinRM-HTTPS protocol is enabled in the Agentless User-ID configuration, PAN-OS firewall will use port 5985 or 5986 respectively when connecting to the Domain Controller(s). These ports do not need to be explicitly configured

Resolution

Use the default configuration for Kerberos configuration. PAN-OS firewall will use the default port 88 to connect to the Kerberos server for either of the protocols as shown below:

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)