GlobalProtect Users Unable to Authenticate when Using Kerberos
Created On 09/26/18 19:16 PM - Last Modified 12/17/20 20:14 PM
- Previously, users were able to authenticate successfully and no changes have been made to the environment.
- "Event ID 4771: Kerberos Pre-authentication failed" logs are seen in the security logs of the Active Directory server that correlate with the GlobalProtect authentication attempts.
- Result Code 0x25 may also be seen within the event log.
The Palo Alto Networks firewall reports invalid username/password.
- GlobalProtect Infrastructure
- Windows Domain Environment
- Kerberos requires the clock between a client and the server to be less than 5 minutes apart. Check the firewall's current time either through the WebUI or the CLI:
- WebUI: The current time is available under the "General Information" section on the dashboard.
- CLI: Run the command "show clock " to see the current time of the firewall.
- Compare this time with the current time of the Active Directory server. They must be within 5 minutes of each other for Kerberos authentication to work.