topic Re: SSO Kerberos setup for Admin in General Topics

SSO Kerberos setup for Admin

ThomasMConnors — Wed, 12 Jul 2017 13:50:25 GMT

I have been able to set up Kerberos for explict userid/password entry at the logon screen. Now I am trying to setup SSO.

I at least get to the Click the button to login as user@domain.local. Yet when I proceed, I get Not Authroized.

System log shows 'Authorization failed for user 'user@domain.local' vs the explict login that shows a login for 'user' w/o the domain.local appended.

I turned on debugging and authd.log shows

2017-07-12 08:35:39.494 -0400 Certificate validated for user 'user@DOMAIN.LOCAL'. From: 10.1.4.40.

2017-07-12 08:35:39.496 -0400 debug: _log_auth_respone(pan_auth_server.c:263): Sent PAN_AUTH_SUCCESS auth response for user 'user@DOMAIN.LOCAL' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6441520795817607314)

2017-07-12 08:35:39.527 -0400 debug: pan_auth_request_process(pan_auth_state_engine.c:3208): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 36, body length 32

2017-07-12 08:35:39.527 -0400 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1527): init'ing group request (authorization)

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1368): start to authorize user "user@DOMAIN.LOCAL"

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user user@DOMAIN.LOCAL

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1477): Sent authorization response for user "user@DOMAIN.LOCAL":
role/domain="/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1

I tried all kinds of options for the admin user but some mapping seems to be wrong. Any idea where to look or for more debugging?

Re: SSO Kerberos setup for Admin

davanderson — Wed, 12 Jul 2017 18:41:04 GMT

Can you explain more what you are trying to use the single sign on for?

This sounds like you are trying to authenticate to the management interface for the Palo Alto. We were successful in setting up an LDAPs policy to talk to the Windows Domain Controller and are able to logon to Panormama and the PA FW's using our AD credentials. There is no need to specify the domain with this option.

If you are trying to identify user traffic that is crossing the firewall for security rules - I would suggest a different approach. Again this was integrated to a Windows AD domain using the WMI functionality and LDAPS to hit the domain controllers. We also used the agent software on our Citrix servers to give more identification to systems that have mutliple user logged on locally. This works very well and the setup was fairly simple. No need to link into Kerberos.

Re: SSO Kerberos setup for Admin

RobertRostek — Fri, 13 Aug 2021 11:53:24 GMT

i have the very exact same issue, and i think the problem is here:

2017-07-12 08:35:39.527 -0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1381): Could not get user role for user user@DOMAIN.LOCAL

palo tries to find "user@DOMAIN.LOCAL" in it's local administrators database, instead it should simply look for "user" (without the domain). i think this is simply a software bug.

Re: SSO Kerberos setup for Admin

RobertRostek — Thu, 19 Aug 2021 13:45:06 GMT

had a ticket with palo alto support and they provided me with a workaround that is fine for our environment:

set auth strict-username-check no

maybe this helps.

Re: SSO Kerberos setup for Admin

LRCAIT — Tue, 22 Nov 2022 17:18:12 GMT

Thank you RobertRostek.

We were trying to enable Kerberos SSO to the firewall web portal and seeing the same suspicious line in the authd log. We tried a lot of different things to make this work, but changing strict-username-check seemed to be the only thing that helped.

We now have our effectively-passwordless Server Admin accounts logging into the firewall with YubiKeys and our Kerberos infrastructure. Feels good.

Thanks Again!