https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-mac-os-kerberos-authentication-failed-empty/m-p/549676#M4214 <P>&nbsp;</P> <P><SPAN>I'm working on an environment that uses a product called "Jamf Connect" to provide Kerberos authentication for Mac-OS users. It works for all services on the domain except for an internal GlobalProtect gateway which is configured for Kerberos SSO. Which works perfectly for domain-joined Windows machines...</SPAN></P> <P>&nbsp;</P> <P>When the Mac-OS client first connects to the Portal, it's prompting users for credentials which can lead to group-mapping issues if they don't enter their full account name (domain prefix or UPN). In the interests of a consistent UX, we don't want users manually authenticating to the portal/gateway so appending domains is out of the question.</P> <P>&nbsp;</P> <P>Looking at authd.log, the initial Kerberos authentication appears to be successful (<SPAN>PAN_AUTH_SUCCESS) however the GP logs report "Authentication failed: empty password" and the client prompts for credentials. Once the credentials are submitted, the resulting debugs in authd.log are identical to those of the previous auth failure, but this time the client connects successfully.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I understand there are several factors at play, including the 3rd party Kerberos agent, however I can't see anything technically wrong with the process.</SPAN></P> <P>&nbsp;</P> <P>Has anyone else had GP Kerberos auth working successfully on a Mac? From what I have seen Kerberos SSO for GP is not all that common as it implies the device is already on the network (or on a pre-login tunnel if using external gateways), and Kerberos even less common on a Mac.</P> Mon, 17 Jul 2023 23:40:51 GMT mb_equate 2023-07-17T23:40:51Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-mac-os-kerberos-authentication-failed-empty/m-p/549676#M4214 <P>&nbsp;</P> <P><SPAN>I'm working on an environment that uses a product called "Jamf Connect" to provide Kerberos authentication for Mac-OS users. It works for all services on the domain except for an internal GlobalProtect gateway which is configured for Kerberos SSO. Which works perfectly for domain-joined Windows machines...</SPAN></P> <P>&nbsp;</P> <P>When the Mac-OS client first connects to the Portal, it's prompting users for credentials which can lead to group-mapping issues if they don't enter their full account name (domain prefix or UPN). In the interests of a consistent UX, we don't want users manually authenticating to the portal/gateway so appending domains is out of the question.</P> <P>&nbsp;</P> <P>Looking at authd.log, the initial Kerberos authentication appears to be successful (<SPAN>PAN_AUTH_SUCCESS) however the GP logs report "Authentication failed: empty password" and the client prompts for credentials. Once the credentials are submitted, the resulting debugs in authd.log are identical to those of the previous auth failure, but this time the client connects successfully.</SPAN></P> <P>&nbsp;</P> <P><SPAN>I understand there are several factors at play, including the 3rd party Kerberos agent, however I can't see anything technically wrong with the process.</SPAN></P> <P>&nbsp;</P> <P>Has anyone else had GP Kerberos auth working successfully on a Mac? From what I have seen Kerberos SSO for GP is not all that common as it implies the device is already on the network (or on a pre-login tunnel if using external gateways), and Kerberos even less common on a Mac.</P> Mon, 17 Jul 2023 23:40:51 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-mac-os-kerberos-authentication-failed-empty/m-p/549676#M4214 mb_equate 2023-07-17T23:40:51Z