Kerberos SSO PAN-OS 7.0.1

Retired Member — Fri, 31 Jul 2015 07:07:33 GMT

Hello,

at the moment I'm trying to set up a SSO Auth with the Admin Web Interface (and Captive Portal). I set it up like the documentation of PAN-OS 7.0 told me. I tried different Crypto types but all with the same error.

1. Log in to the KDC and open a command prompt.

2. Enter the following command, where <principal_name>,

<password>, and <algorithm> are variables. The Kerberos

principal name and password are of the firewall, not the user.

ktpass /princ <principal_name> /pass

<password> /crypto <algorithm> /ptype

KRB5_NT_PRINCIPAL /out <file_name>.keytab

If the firewall is in Federal Information Processing

Standards (FIPS) or Common Criteria (CC) mode, the

algorithm must be aes128-cts-hmac-sha1-96 or

aes256-cts-hmac-sha1-96. Otherwise, you can also

use des3-cbc-sha1 or arcfour-hmac. To use an

Advanced Encryption Standard (AES) algorithm, the

functional level of the KDC must be Windows Server

2008 or later and you must enable AES encryption for

the firewall account.

The algorithm in the keytab must match the algorithm

in the service ticket that the TGS issues to clients. Your

Kerberos administrator determines which algorithms

the service tickets use.

Then I put the keytab file into the Authentication Profile. After the commit I see in the authd.log the following:

2015-07-31 08:54:02.468 +0200 debug: pan_auth_request_process(pan_auth_state_engine.c:1514): Receive request: msg type PAN_AUTH_SSO_AUTH, conv id 68, body length 235

2015-07-31 08:54:02.468 +0200 debug: _authenticate_sso(pan_auth_state_engine.c:281): Trying to auth sso: <profile: "", vsys: "", remotehost "", ticket size 66>

2015-07-31 08:54:02.468 +0200 debug: _krb_init_token_decode(pan_authd_kerberos_sso.c:1000): succeed to base64 decode service ticket

2015-07-31 08:54:02.469 +0200 debug: check_n_set_config_env_if_gone(pan_authd_kerberos_sso.c:170): got env KRB5_CONFIG = /opt/pancfg/mgmt/global/authd/krb5.config.**.**.**.1, no need to set it up

2015-07-31 08:54:02.469 +0200 debug: check_n_set_keytab_env_if_gone(pan_authd_kerberos_sso.c:199): got env KRB5_KTNAME = /opt/pancfg/mgmt/global/authd/krb5.keytab.**.**.**.1 (service principal HTTP/**.**.**.**), no need to set it up

2015-07-31 08:54:02.469 +0200 Error: _dislay_gss_return_code(pan_authd_kerberos_sso.c:98): GSS_S_BAD_MECH

2015-07-31 08:54:02.469 +0200 Error: _krb_accept_sec_context(pan_authd_kerberos_sso.c:1046): gss_accept_sec_context() : Unknown error

2015-07-31 08:54:02.469 +0200 failed authentication for user ''. Reason: Single-sign-on failed.

2015-07-31 08:54:02.471 +0200 debug: _log_auth_respone(pan_auth_server.c:240): Sent FAILED auth response for user '' (exp_in_days=-1 (-1 never; 0 within a day))

Did somebody get this to work? Is there a mistake in the documentation?

Thanks for any anwser.

Kind regards

Christoph

Re: Kerberos SSO PAN-OS 7.0.1

EdwardWaithaka — Wed, 09 Sep 2015 22:22:15 GMT

I have the same problem. Did you ever find a solution for the same?

Re: Kerberos SSO PAN-OS 7.0.1

Renan_Ribeiro — Thu, 27 Jun 2019 20:26:29 GMT

It started working when I followed exactly what is described in the the KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boBiCAI

I had to move the user account (mapped to the fqdn) to the OU "Users" in order to avoid the password error.

Other point is: I was using the same account created for LDAP queries (And it is a Domain Admin account). When I created a new account and followed the procedure exactly how it is it worked.

topic Re: Kerberos SSO PAN-OS 7.0.1 in General Topics

Kerberos SSO PAN-OS 7.0.1

Re: Kerberos SSO PAN-OS 7.0.1

Re: Kerberos SSO PAN-OS 7.0.1