https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236114#M6208 <P>anyone have the steps for kerberos with captival portal?</P><P>The issues i'm facing is when i enter a external website and it will prompt me with the login prompt. If i login and is working fine but end goal is to do SSO via kerberos for captival portal.&nbsp;</P><P>&nbsp;</P><P>From the client, i should have seen this but it doesn't appear.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbashash81_0-1755414425506.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68906i16C352176945E961/image-size/medium?v=v2&amp;px=400" role="button" title="bbashash81_0-1755414425506.png" alt="bbashash81_0-1755414425506.png" /></span></P><P>&nbsp;</P><P>from the firewall without login to the prompt, i always see these error.&nbsp; I have regenerate the keytab for more than 10 times. and i have check the version of kerberos from the AD server and the keytab via the below command. both are the same version.<BR /><BR />Ktpass /in &lt;filename.keytab&gt;<BR />− dsquery * -filter sAMAccountName=&lt;accountname&gt; -attr msDS-KeyVersionNumber</P><P>&nbsp;</P><P>2025-08-17 14:58:59.172 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or invalid keytab)<BR />2025-08-17 14:58:59.193 +0800 debug: pan_auth_request_process(pan_auth_state_engine.c:3618): Receive request: msg type PAN_AUTH_REQ_GET_AUTHD_ID, conv id 168, body length 2448<BR />2025-08-17 14:58:59.193 +0800 debug: _log_auth_respone(pan_auth_server.c:625): Sent PAN_AUTH_GET_AUTHD_ID_SUCCESS auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7539262304362168525)</P> Sun, 17 Aug 2025 07:11:12 GMT bbashash81 2025-08-17T07:11:12Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236108#M6206 <P class=""><SPAN>Anyone hit the same issue before?</SPAN></P><P class="">&nbsp;</P><P class=""><SPAN>2025-08-16 20:35:38.768 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or invalid keytab)</SPAN></P> Sat, 16 Aug 2025 12:52:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236108#M6206 bbashash81 2025-08-16T12:52:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236114#M6208 <P>anyone have the steps for kerberos with captival portal?</P><P>The issues i'm facing is when i enter a external website and it will prompt me with the login prompt. If i login and is working fine but end goal is to do SSO via kerberos for captival portal.&nbsp;</P><P>&nbsp;</P><P>From the client, i should have seen this but it doesn't appear.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbashash81_0-1755414425506.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68906i16C352176945E961/image-size/medium?v=v2&amp;px=400" role="button" title="bbashash81_0-1755414425506.png" alt="bbashash81_0-1755414425506.png" /></span></P><P>&nbsp;</P><P>from the firewall without login to the prompt, i always see these error.&nbsp; I have regenerate the keytab for more than 10 times. and i have check the version of kerberos from the AD server and the keytab via the below command. both are the same version.<BR /><BR />Ktpass /in &lt;filename.keytab&gt;<BR />− dsquery * -filter sAMAccountName=&lt;accountname&gt; -attr msDS-KeyVersionNumber</P><P>&nbsp;</P><P>2025-08-17 14:58:59.172 +0800 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:218): prof "KRB-SSO", vsys "vsys1" (method: Kerberos pre-auth) has sso hash table id: 1 (0 means no or invalid keytab)<BR />2025-08-17 14:58:59.193 +0800 debug: pan_auth_request_process(pan_auth_state_engine.c:3618): Receive request: msg type PAN_AUTH_REQ_GET_AUTHD_ID, conv id 168, body length 2448<BR />2025-08-17 14:58:59.193 +0800 debug: _log_auth_respone(pan_auth_server.c:625): Sent PAN_AUTH_GET_AUTHD_ID_SUCCESS auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7539262304362168525)</P> Sun, 17 Aug 2025 07:11:12 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236114#M6208 bbashash81 2025-08-17T07:11:12Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236143#M6211 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1457187123">@bbashash81</a></P> <P>&nbsp;</P> <P>thanks for post!</P> <P>&nbsp;</P> <P>To me this log message does not indicate an issue / authentication failure. Could you please elaborate where and for what purpose you are setting up Kerberos authentication?</P> <P>If the authentication is failing there should be more detailed log after the log message you shared. Just in case, here is&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-kerberos-single-sign-on" target="_self">Configure Kerberos Single Sign-On</A>&nbsp;configuration guide.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Mon, 18 Aug 2025 06:10:24 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236143#M6211 PavelK 2025-08-18T06:10:24Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236187#M6217 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1457187123">@bbashash81</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>From your post it looks like that your Keytab has been generated correctly, however just in case here is a manual:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBiCAI" target="_self">How To Generate Kerberos Keytab for SSO</A>. Make sure that FQDN for captive portal is resolvable and pointing to Firewall's interface where Captive Portal is enabled.</P> <P>&nbsp;</P> <P>Here is the tutorial for Captive Portal setup:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqbiCAC" target="_self">How to Configure Captive Portal</A>. In Step No.6 import Kerberos Keytab. Also make sure that certificate's SAN field is FQDN of Captive Portal.</P> <P>&nbsp;</P> <P>Make sure that in authentication policy you configured browser challenge to trigger SSO (Step No.3):&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-kerberos-single-sign-on" target="_self">Configure Kerberos Single Sign-On</A>.</P> <P>Make sure that you set redirect mode and redirect host matches certificate's SAN name:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERWCA4" target="_self">What are the client trust settings required to change the redirect URL for captive portal with Kerberos SSO?</A>.</P> <P>Finally, you will have to enable decryption:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClevCAC" target="_self">Captive Portal Not Working with HTTPS Sessions</A>. Could you test whether captive portal SSO works for test HTTP site?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Tue, 19 Aug 2025 00:25:49 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-alto-kerberos-for-sso/m-p/1236187#M6217 PavelK 2025-08-19T00:25:49Z