SSO Kerberos Authentication for Admin Access Keytab Generation

by schopra on ‎01-02-2017 08:29 AM - edited on ‎01-03-2017 04:37 AM by (8,111 Views)

Kerberos SSO: Kerberos Authentication for Admin access Keytab generation is used to supply the windows credentials automatically to the login prompt when a user accesses the WebGUI of the firewall. A network that supports Kerberos SSO prompts a user to log in only for initial access to the network (for example, logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network (for example, the firewall web interface) without having to log in again, until the SSO session expires. (Your Kerberos administrator sets the duration of SSO sessions.)


You enable SSO for a Palo Alto Networks device by importing a Kerberos keytab into an authentication profile. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the device, which is required for SSO authentication. Each authentication profile can have one keytab. If SSO authentication fails, the device prompts the user to log in manually and performs authentication of the type specified in the profile (for example, RADIUS).




Kerberos SSO Admin authentication. Generation of keytabs for SSO and Active Directory settings


For customers who want to use Kerberos SSO authentication for their environment.



Authentication failing due to a malformed keytab.




Here is a step-by-step procedure for generation of the keytab and the prerequisites:


  • Service account on the domain controller which will carry the credentials.

For the service account, you need to enable AES 128 bit encryption / AES 256 bit encryption if the encryption algorithm is AES 128/256.


To enable the above settings, open the user account and click on Account, you will observe the encryption algorithm under Account options.


Service account settingsService account settings



  • Some settings under the browser.

For IE, the settings can be found under the below hierarchy:

Internet options> Security> Local intranet (sites button) > Advanced> add service FQDN to the list.


Here under websites, add the firewall’s fqdn or you can use *.domain.local.


Please note: Chrome will use IE settings.


 IE settingsIE settings


For firefox, type about:config as URL and search trusted URLs.

Enter the service FQDN in the value.

 Firefox settingsFirefox settings


  • Here is a command that can be used to identify the encryption algorithm on the Domain controller:

 1. klist Command: 

 C:\Users\admin> klist
Client: gpdomuser1 @ GPQA.LOCAL
        Server: HTTP/keytabgpgw61.gpqa.local @ GPQA.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 <- Information regarding the encryption algorythm.
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authentok_as_delegate name_canonicalize
        Start Time: 10/1/2015 13:11:33 (local)
        End Time:   10/1/2015 23:09:18 (local)
        Renew Time: 10/8/2015 13:09:18 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called: thirugpwinad.gpqa.local


2. setspn Command:

 setspn -s http/fqdn domain\service account


For example
setspn -s http/ abc.local\service_account_username



3. The command for creating of the keytab is as follows: 

ktpass -princ http/ @abc.local -mapuser service_account_username -pass acct_password -crypto aes256-sha1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\xyz-test.keytab -mapop set


by SilvioReis
on ‎08-22-2017 01:58 PM

The right syntax for ktpass at Windows 2012 R2 domain controller is:


ktpass -princ http/firewall.domain.local@DOMAIN.LOCAL -mapuser service_account@DOMAIN.LOCAL -pass service_account_password -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out c:\temp\firewall.keytab -mapop set


Pay attention to the spaces (I'm not sure if domain name is typed in lowercase or UPPERCASE). 



by Ladan-MM
on ‎10-23-2017 10:15 PM

In the commands above (setspn and keytab), do we need to use the FQDN of the firewalls or of the captive portal's reponse page, when we are going to use Kerberos SSO on authetication profile for captive portal?






Ignite 2018
Ask Questions Get Answers Join the Live Community