https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8177#M6043 <HTML><HEAD></HEAD><BODY><P>Johan,</P><P></P><P>The PAN firewall does not directly participate in Kerberos authentication of clients, it relays the requests from the client to the servers that are configured in your Kerberos authentication profile.&nbsp; Consequently, no trust needs to be established with the firewall, as both members will have the keys necessary as they are both in the same domain.&nbsp; Also, TGT renewal requests will be renewed by the end user's workstation.</P><P></P><P>If you would like more information on Kerberos, please follow this link to Microsoft's TechNet:</P><P></P><P><A href="http://technet.microsoft.com/en-us/library/cc961976.aspx">http://technet.microsoft.com/en-us/library/cc961976.aspx</A></P></BODY></HTML> Fri, 17 Feb 2012 17:58:18 GMT ggarrison 2012-02-17T17:58:18Z https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8174#M6040 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>I'm trying to understand how Kerberos authentication works on the PAN. From what I understand is that Kerberos does not send any passwords over the network but generates tickets.</P><P></P><P>1) When a user logs on a SSL VPN portal which is configured for Kerberos authentication, the user types in the password. But how handle the PAN the password? The KDC (AD) does not have a plaintext version of the user his password. So how is the ticket generated ?</P><P></P><P>2) Is there a possibility to use Kerberos delegation? Since the KDC does not have an account of the PAN in directory, there is no mutual authentication.</P><P></P><P>Any suggestions? </P><P></P><P>regards</P><P> Johan</P></BODY></HTML> Mon, 16 Jan 2012 15:40:59 GMT https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8174#M6040 u5273 2012-01-16T15:40:59Z https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8175#M6041 <HTML><HEAD></HEAD><BODY><P>Johan,</P><P></P><P>We have an online document here:</P><P><A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1762">https://live.paloaltonetworks.com/docs/DOC-1762</A></P><P></P><P>It talks about how to configure and how Kerberos works.</P><P>Please review this information and let us know if this answers your question or not.</P></BODY></HTML> Wed, 25 Jan 2012 15:59:52 GMT https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8175#M6041 jdelio 2012-01-25T15:59:52Z https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8176#M6042 <HTML><HEAD></HEAD><BODY><P>This document describes how to implement Kerberos. I'm looking for more detailed explanation how it works.</P><P></P><P>When the end user connects to the SSL Portal, he is prompted to enter his credentials, username and password. Since the PA device plays the role of a Kerberos client, how can the PA 'protect' the password of the client. Does the PA have access to the shared secret key ? And if yes, how does the domain controller knows if the request comes from the PA device. There is no trust between the domain controller and the PA device.</P><P></P><P>On one of my previous implementations I've used MS ISA server. Kerberos authentication was only possible if the device is a member of the domain. But the PA is no member of the domain. Or more simple, a Windows client needs to be a member of the domain before he can use Kerberos. Then we have a 'trust'.</P><P></P><P>Secondly, if the ticket is about to expire, who renewes the TGT. The end user or the PA device?</P><P></P><P>rgds</P><P>Johan&nbsp;&nbsp; </P></BODY></HTML> Thu, 26 Jan 2012 08:00:04 GMT https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8176#M6042 u5273 2012-01-26T08:00:04Z https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8177#M6043 <HTML><HEAD></HEAD><BODY><P>Johan,</P><P></P><P>The PAN firewall does not directly participate in Kerberos authentication of clients, it relays the requests from the client to the servers that are configured in your Kerberos authentication profile.&nbsp; Consequently, no trust needs to be established with the firewall, as both members will have the keys necessary as they are both in the same domain.&nbsp; Also, TGT renewal requests will be renewed by the end user's workstation.</P><P></P><P>If you would like more information on Kerberos, please follow this link to Microsoft's TechNet:</P><P></P><P><A href="http://technet.microsoft.com/en-us/library/cc961976.aspx">http://technet.microsoft.com/en-us/library/cc961976.aspx</A></P></BODY></HTML> Fri, 17 Feb 2012 17:58:18 GMT https://live.paloaltonetworks.com/t5/general-topics/kerberos-authentication/m-p/8177#M6043 ggarrison 2012-02-17T17:58:18Z