Re: Kerberos SSO Admin with 2 devices

S.Cantwell — Wed, 17 Dec 2025 20:37:22 GMT

For Kerberos SSO access to the PAN-OS admin UI in an Active/Passive HA pair, you do not configure a second SPN on the firewall. The correct and supported design is to use one shared management FQDN and one Kerberos SPN, used by both HA peers.

How Kerberos works in this scenario

Kerberos authentication is based on the service hostname (FQDN), not on the individual firewall device. The browser requests a Kerberos ticket for:

HTTP/<management-FQDN>

As long as both firewalls present the same FQDN and use the same service account, Kerberos authentication will work on either unit after failover.

Supported configuration

Choose a single management FQDN
Example:
fw-admin.company.com

This FQDN must always resolve to the currently active firewall’s management IP.
Use one Active Directory service account
Example:
svc_pan_fw_kerberos

This account will be used by both firewalls.
Create the SPN (run once in Active Directory)
Run the following command from a domain controller or a system with RSAT installed:

setspn -A HTTP/fw-admin.company.com svc_pan_fw_kerberos

Verify the SPN:
setspn -L svc_pan_fw_kerberos
Configure both firewalls identically
On both HA peers:
- Use the same Kerberos authentication profile
- Use the same AD server profile
- Use the same service account (svc_pan_fw_kerberos)
- Access the admin UI using the same FQDN (fw-admin.company.com)
Access method
Administrators must always access the firewall using the shared FQDN, not the individual management IP or hostname of each unit.

Important notes

Do NOT create separate SPNs per firewall.
Do NOT bind the SPN to an IP address.
Do NOT use different hostnames for each HA peer.
The SPN must be associated with only one AD account.

Result

With this configuration:

Kerberos SSO works on the active firewall
After HA failover, Kerberos continues to work without any changes
No second SPN is required or supported

If Kerberos works on one device today, this means the SPN and service account are already correct. The remaining requirement is to ensure both firewalls use the same configuration and are accessed through the same management FQDN.

PAN-OS does not have a built-in way to make a management FQDN automatically move between Active/Passive HA peers.

To ensure Kerberos SSO continues working, the shared management FQDN must always resolve to the active firewall’s management IP, and this must be handled outside the firewall.

Supported ways to do this

DNS-based solution (most common)
- Create one FQDN (e.g. fw-admin.company.com)
- Point it to the active firewall’s management IP
- Use a low DNS TTL (30–60 seconds)
- Update DNS manually or with an external script that detects HA failover
Reverse proxy / load balancer
- Place a proxy in front of both management interfaces
- The proxy has the stable FQDN and forwards traffic only to the active firewall
- No DNS changes needed during failover
Cloud floating IP (cloud-only)
- Some cloud platforms can move a virtual IP between HA peers
- This is handled by the cloud, not PAN-OS

Important points

PAN-OS does not support a floating/virtual management IP on physical firewalls
You must not create multiple SPNs
Administrators must always access the firewall using the shared FQDN
The solution relies on DNS or infrastructure, not firewall configuration

Bottom line:
Use a single management FQDN and a single SPN, and control where that FQDN points using DNS or an external proxy.

topic Re: Kerberos SSO Admin with 2 devices in Next-Generation Firewall Discussions

Kerberos SSO Admin with 2 devices

Re: Kerberos SSO Admin with 2 devices

How Kerberos works in this scenario

Supported configuration

Important notes

Result

Re: Kerberos SSO Admin with 2 devices

Re: Kerberos SSO Admin with 2 devices

Supported ways to do this

Important points