GlobalProtect Users Unable to Authenticate when Using Kerberos

26493

Created On 09/26/18 19:16 PM - Last Modified 12/17/20 20:14 PM

Content Release

Deployment

GlobalProtect

Symptom

Previously, users were able to authenticate successfully and no changes have been made to the environment.
"Event ID 4771: Kerberos Pre-authentication failed" logs are seen in the security logs of the Active Directory server that correlate with the GlobalProtect authentication attempts.
Result Code 0x25 may also be seen within the event log.
The Palo Alto Networks firewall reports invalid username/password.

Kerberos requires the clock between a client and the server to be less than 5 minutes apart. Check the firewall's current time either through the WebUI or the CLI:

WebUI: The current time is available under the "General Information" section on the dashboard.
CLI: Run the command "show clock " to see the current time of the firewall.

Compare this time with the current time of the Active Directory server. They must be within 5 minutes of each other for Kerberos authentication to work.

Consider utilizing NTP to sync both the firewall and the Active Directory server to the same time source in order to eliminate this issue from reoccurring.
If NTP is not an option for any reason, update the date and time on the firewall or the Active Directory server so that they are both within 5 minutes of each other.
If manually updating the time, be aware that minor inconsistencies with the time clock of both devices will likely cause this issue to resurface again in the future.
To update the time on the firewall:

Go to Device > Setup > Management and update the Date and Time under the "General Settings" category.
Note: Time and date settings will take effect on the firewall immediately. No commit is necessary.